RJ ra l wi CompTIA Security+ (Study Notes) 


Overview of Security 


Welcome 
o Domains (SYO-601) 
= Attacks, Threats, and Vulnerabilities (24%) 
= Architecture and Design (21%) 
= Implementation (25%) 
= Operations and Incident Response (16%) 
= Governance, Risk, and Compliance (14%) 
o 90 minutes to answer up to 90 questions 
o Minimum to Pass 


750 out of 900 


Overview of Security 


Security 


Convenience 
o Information Security 
= Act of protecting data and information from unauthorized access, 
unlawful modification and disruption, disclosure, corruption, and 
destruction 
o Information Systems Security 
= Act of protecting the systems that hold and process our critical data 
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o Basics and Fundamentals 
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o Confidentiality 
= Information has not been disclosed to unauthorized people 
o Integrity 
= Information has not been modified or altered without proper 
authorization 
o Availability 
= Information is able to be stored, accessed, or protected at all times 


AAA of Security 
o Authentication 
= When a person’s identity is established with proof and confirmed by a 
system 
e Something you know 
e Something you are 
e Something you have 
e Something you do 
e Somewhere you are 
o Authorization 
= Occurs when a user is given access to a certain piece of data or certain 
areas of a building 
o Accounting 
= Tracking of data, computer usage, and network resources 
= Non-repudiation occurs when you have proof that someone has taken an 
action 
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Security Threats 
o Malware 
= Short-hand term for malicious software 
o Unauthorized Access 
= Occurs when access to computer resources and data occurs without the 
consent of the owner 
o System Failure 
= Occurs when a computer crashes or an individual application fails 
o Social Engineering 
= Act of manipulating users into revealing confidential information or 
performing other detrimental actions 


Mitigating Threats 
o Physical Controls 
= Alarm systems, locks, surveillance cameras, identification cards, and 
security guards 
o Technical Controls 
= Smart cards, encryption, access control lists (ACLs), intrusion detection 
systems, and network authentication 
o Administrative Controls 
= Policies, procedures, security awareness training, contingency planning, 
and disaster recovery plans 
= User training is the most cost-effective security control to use 


Hackers 
o Five Types of Hackers 
= White Hats 
e Non-malicious hackers who attempt to break into a company’s 
systems at their request 
= Black Hats 
e Malicious hackers who break into computer systems and 
networks without authorization or permission 
= Gray Hats 
e Hackers without any affiliation to a company who attempt to 
break into a company’s network but risk the law by doing so 
= Blue Hats 
e Hackers who attempt to hack into a network with permission of 
the company but are not employed by the company 
=" Elite 
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e Hackers who find and exploit vulnerabilities before anyone else 
does 


e 1in10,000 are elite 
o Script kiddies have limited skill and only run other people’s exploits and tools 


e Threat Actors 
o Script Kiddies 


= Hackers with little to no skill who only use the tools and exploits written 
by others 


o Hacktivists 


= Hackers who are driven by a cause like social change, political agendas, or 
terrorism 


o Organized Crime 


= Hackers who are part of a crime group that is well-funded and highly 
sophisticated 
o Advanced Persistent Threats 


= Highly trained and funded groups of hackers (often by nation states) with 
covert and open-source intelligence at their disposal 


AP Ts 
Organized Crime 


Hacktivists 


Skill Level 


script Kiddies 
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Threat Intelligence and Sources 


Timeliness 
o Property of an intelligence source that ensures it is up-to-date 
Relevancy 
o Property of an intelligence source that ensures it matches the use cases intended 
for it 
Accuracy 
o Property of an intelligence source that ensures it produces 
effective results 
Confidence Levels 
o Property of an intelligence source that ensures it produces qualified statements 
about reliability 


Proprietary 
o Threat intelligence is very widely provided as a commercial service offering, 
where access to updates and research is subject to a subscription fee 
Closed-Source 
o Data that is derived from the provider's own research and analysis efforts, such 
as data from honeynets that they operate, plus information mined from its 
customers’ systems, suitably anonymized 
Open-Source 
o Data that is available to use without subscription, which may include threat 
feeds similar to the commercial providers and may contain reputation lists and 
malware signature databases 


= US-CERT 
= UK’s NCSC 

= AT&T Security (OTX) 
= MISP 


= VirusTotal 
=" Spamhaus 
= SANS ISC Suspicious Domains 


Open-Source Intelligence (OSINT) 
o Methods of obtaining information about a person or organization through public 
records, websites, and social media 
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Threat Hunting 


Threat Hunting 
o A cyber security technique designed to detect presence of threat that have not 
been discovered by a normal security monitoring 
o Threat Hunting is potentially less disruptive than penetration testing 
Establishing a hypothesis 
o A hypothesis is derived from the threat modeling and is based on potential 
events with higher likelihood and higher impact. 
Profiling Threat Actors and Activities 
o Involves the creation of scenario that show how a prospective attacker might 
attempt an intrusion and what their objectives might be 


Threat hunting relies on the usage of the tools developed for regular security monitoring 
and incident response 


Analyze network traffic 

Analyze the executable process list 

Analyze other infected host 

Identify how the malicious process was executed 


O O O 0 


Threat hunting consumes a lot of resources and time to conduct, but can yield a lot of 
benefits 
o Improve detection capabilities 
integrate intelligence 
reduces attack surface 
Block attack vectors 
identify critical assets 


O 0 0 0 
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Attack Frameworks 


e Kill Chain 
o A model developed by Lockheed Martin that describes the stages by which a 
threat actor progresses a network intrusion 


= Reconnaissance 

e The attacker determines what methods to use to complete the 
phases of the attack 

= Weaponization 

e The attacker couples payload code that will enable access with 
exploit code that will use a vulnerability to execute on the target 
system 

= Delivery 

e The attacker identifies a vector by which to transmit the 
weaponized code to the target environment 

= Exploitation 

e The weaponized code is executed on the target system by this 
mechanism 

= Installation 

e This mechanism enables the weaponized code to run a remote 
access tool and achieve persistence on the target system 

= Command & Control (C2) 

e The weaponized code establishes an outbound channel to a 
remote server that can then be used to control the remote access 
tool and possibly download additional tools to progress the attack 

= Actions on Objectives 

e The attacker typically uses the access he has achieved to covertly 
collect information from target systems and transfer it to a 
remote system (data exfiltration) or achieve other goals and 
motives 

e Kill chain analysis can be used to identify a defensive course-of- 
action matrix to counter the progress 
of an attack at each stage 


e MITRE ATT&CK Framework 
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o Aknowledge base maintained by the MITRE Corporation for listing and 
explaining specific adversary tactics, techniques, and common knowledge or 
procedures (attack.mitre.org) 

o The pre-ATT&CK tactics matrix aligns to the reconnaissance and weaponization 
phases of the kill chain 

e Diamond Model of Intrusion Analysis 

o A framework for analyzing cybersecurity incidents and intrusions by exploring 
the relationships between four core features: adversary, capability, 
infrastructure, and victim 
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Malware 


Malware 
o Malware 
= Software designed to infiltrate a computer system and possibly damage it 
without the user’s knowledge or consent 
e Viruses 
e Worms 
e Trojan horses 
e Ransomware 


e Spyware 
e Rootkits 
e Spam 
Viruses 
o Virus 


= Malicious code that runs on a machine without the user’s knowledge and 
infects the computer when executed 
= Viruses require a user action in order to reproduce and spread 
e Boot sector 
o Boot sector viruses are stored in the first sector of a hard 
drive and are loaded into memory upon boot up 
e Macro 
o Virus embedded into a document and is executed when 
the document is 
opened by the user 
e Program 
o Program viruses infect an executable or application 
e Multipartite 
o Virus that combines boot and program viruses to first 
attach itself to the boot sector and system files before 
attacking other files on the computer 
e Encrypted 
e Polymorphic 
o Advanced version of an encrypted virus that changes itself 
every time it is executed by altering the decryption 
module to avoid detection 
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e Metamorphic 
o Virus that is able to rewrite itself entirely before it 
attempts to infect a file (advanced version of polymorphic 
virus) 
e Stealth 
e Armored 
o Armored viruses have a layer of protection to confuse a 
program or person analyzing it 


e Hoax 
e Worms 
o Worm 
= Malicious software, like a virus, but is able to replicate itself without user 
interaction 
= Worms self-replicate and spread without a user’s consent or action 
= Worms can cause disruption to normal network traffic and computing 
activities 
= Example 
e 2009: 9-15 million computers infected with conficker 
e Trojans 


o Trojan Horse 
= Malicious software that is disguised as a piece of harmless or desirable 
software 
= Trojans perform desired functions and malicious functions 
o Remote Access Trojan (RAT) 
= Provides the attacker with remote control of a victim computer and is the 
most commonly used type of Trojan 


e Ransomware 
o Ransomware 

= Malware that restricts access to a victim’s computer system until a 
ransom is received 

= Ransomware uses a vulnerability in your software to gain access and then 
encrypts your files 

= Example 

e $17 million: SamSam cost the City of Atlanta 
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Spyware 
Oo Spyware 
= Malware that secretly gathers information about the user without their 
consent 


= Captures keystrokes made by the victim and takes screenshots that are 
sent to the attacker 
o Adware 
= Displays advertisements based upon its spying on you 
o Grayware 
= Software that isn’t benign nor malicious and tends to behave improperly 
without serious consequences 


Rootkits 
o Rootkit 
= Software designed to gain administrative level control over a system 
without detection 
= DLL injection is commonly used by rootkits to maintain their persistent 
control 
o DLL Injection 
= Malicious code is inserted into a running process on a Windows machine 
by taking advantage of Dynamic Link Libraries that are loaded at runtime 
o Driver Manipulation 
= An attack that relies on compromising the kernel-mode device drivers 
that operate at a privileged or system level 
= Ashim is placed between two components to intercept calls and redirect 


them 
o Rootkits are activated before booting the operating system and are difficult to 
detect 
Spam 
o Spam 


= Activity that abuses electronic messaging systems, most commonly 
through email 

= Spammers often exploit a company’s open mail relays to send their 
messages 

= CAN-SPAM Act of 2003 
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e Summary of Malware 
o Virus 
= Code that infects a computer when a file is opened or executed 
o Worm 
= Acts like a virus but can self-replicate 
o Trojan 
= Appears to do a desired function but also does something malicious 
o Ransomware 
= Takes control of your computer or data unless you pay 
o Spyware 
= Software that collects your information without your consent 
o Rootkit 
= Gains administrative control of your system by targeting boot loader or 
kernel 
o Spam 
= Abuse of electronic messaging systems 
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Malware Infections 


e Malware Infection 
o Threat Vector 
= Method used by an attacker to access a victim’s machine 


o Attack Vector 
= Method used by an attacker to gain access to a victim’s machine in order 
to infect it with malware 


e Common Delivery Methods 
o Malware infections usually start within software, messaging, and media 


o Watering Holes 
= Malware is placed on a website that you know your potential victims will 
access 


È DionTraining.com 


C DionTrainings.com 


e Botnets and Zombies 
o Botnet 
= A collection of compromised computers under the control of 
a master node 
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=" Botnets can be utilized in other processor intensive functions and 
activities 


e Active Interception & Privilege Escalation 
o Active Interception 
= Occurs when a computer is placed between the sender and receiver and 
is able to capture or modify the traffic between them 
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o Privilege Escalation 
= Occurs when you are able to exploit a design flaw or bug in a system to 
gain access to resources that a normal user isn’t able to access 


Backdoors and Logic Bombs 
o Backdoors are used to bypass normal security and authentication functions 
o Remote Access Trojan (RAT) is placed by an attacker to maintain persistent 
access 
o Logic Bomb 
= Malicious code that has been inserted inside a program and will execute 
only when certain conditions have been met 
o Easter Egg 
= Non-malicious code that when invoked, displays an insider joke, hidden 
message, or secret feature 
o Logic bombs and Easter eggs should not be used according to secure coding 
standards 
Symptoms of Infection 
o Your computer might have been infected if it begins to act strangely 
= Hard drives, files, or applications are not accessible anymore 
= Strange noises occur 
= Unusual error messages 
= Display looks strange 
= Jumbled printouts 
= Double file extensions are being displayed, such as textfile.txt.exe 
= New files and folders have been created or files and folders are 
missing/corrupted 
= System Restore will not function 


Removing Malware 

Identify symptoms of a malware infection 

Quarantine the infected systems 

Disable System Restore (if using a Windows machine) 

Remediate the infected system 

Schedule automatic updates and scans 

Enable System Restore and create a new restore point 

Provide end user security awareness training 

If a boot sector virus is suspected, reboot the computer from an external device 
and scan it 


O O O O OOOO 


Preventing Malware 
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TRAINING 


Viruses 
Worms 
Trojans 
Ransomware 
Spyware 
Rootkits 
Spam 
Worms, Trojans, and Ransomware are best detected with anti-malware solutions 
Scanners can detect a file containing a rootkit before it is installed... 
..removal of a rootkit is difficult and the best plan is to reimage the machine 
Verify your email servers aren’t configured as open mail relays or SMTP open 
relays 
Remove email addresses from website 
Use whitelists and blacklists 
Train and educate end users 
= Update your anti-malware software automatically and scan your 
computer 
= Update and patch the operating system and applications regularly 
= Educate and train end users on safe Internet surfing practices 
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Malware Exploitation 


e Exploit Technique 
o Describes the specific method by which malware code infects a target host 
o Most modern malware uses fileless techniques to avoid detection by signature- 
based security software 

o How does an APT use modern malware to operate? 
= Dropper or downloader 
=" Maintain access 
=" Strengthen access 
= Actions on objectives 
= Concealment 


e Dropper 
o Malware designed to install or run other types of malware embedded ina 
payload on an infected host 
e Downloader 
o A piece of code that connects to the Internet to retrieve additional tools after 
the initial infection by a dropper 
e Shellcode 
o Any lightweight code designed to run an exploit on the target, which may include 
any type of code format from scripting languages to binary code 
e Code Injection 
o Exploit technique that runs malicious code with the identification number of 
a legitimate process 
= Masquerading 
= DLL injection 
= DLL sideloading 
= Process hollowing 
o Droppers are likely to implement anti-forensics techniques to prevent detection 
and analysis 
e Living Off the Land 
o Exploit techniques that use standard system tools and packages to perform 
intrusions 
o Detection of an adversary is more difficult when they are executing malware 
code within standard tools and processes 
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Security Applications and Devices 


Software Firewalls 
o Personal Firewalls 


Software application that protects a single computer from unwanted 
Internet traffic 

Host-based firewalls 

Windows Firewall (Windows) 

PF and IPFW (OS X) 

iptables (Linux) 


o Many anti-malware suites also contain software firewalls 


IDS 


o Intrusion Detection System 


Device or software application that monitors a system or network and 
analyzes the data passing through it in order to identify an incident or 
attack 
HIDS 

e Host-based IDS 


NIDS 
e Network-based IDS 


Attacker 


NIDS 


o Signature, Policy, and Anomaly-based detection methods 


Signature-based 
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e A specific string of bytes triggers an alert 
= Policy-based 
e Relies on specific declaration of the security policy (i.e., ‘No Telnet 
Authorized’) 
= Anomaly-based 
e Analyzes the current traffic against an established baseline and 
triggers an alert if outside the statistical average 
o Types of Alerts 
= True positive 
e Malicious activity is identified as an attack 
= False positive 
e Legitimate activity is identified as an attack 
= True negative 
e Legitimate activity is identified as legitimate traffic 
=" False negative 
e Malicious activity is identified as legitimate traffic 
o IDS can only alert and log suspicious activity... 
o IPS can also stop malicious activity from being executed 
o HIDS logs are used to recreate the events after an attack has occurred 


Pop-up Blockers 
o Most web-browsers have the ability to block JavaScript created pop-ups 
o Users may enable pop-ups because they are required for a website to function 
o Malicious attackers could purchase ads (pay per click) through various 
networks 
o Content Filters 
= Blocking of external files containing JavaScript, images, or web pages 
from loading in a browser 
o Ensure your browser and its extensions are updated regularly 


Data Loss Prevention 
o Data Loss Prevention (DLP) 
= Monitors the data of a system while in use, in transit, or at rest 
to detect attempts to steal the data 
=" Software or hardware solutions 
= Endpoint DLP System 
e Software-based client that monitors the data in use ona 

computer and can stop a file transfer or alert an admin of the 
occurrence 
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= Network DLP System 
e Software or hardware-based solution that is installed on the 
perimeter of the network to detect data in transit 
= Storage DLP System 
e Software installed on servers in the datacenter to inspect the data 
at rest 
= Cloud DLP System 
e Cloud software as a service that protects data being stored in 
cloud services 


Securing the BIOS 
o Basic Input Output System 
= Firmware that provides the computer instructions for how to accept 
input and send output 
= Unified Extensible Firmware Interface (UEFI) 
= BIOS and UEFI are used interchangeable in this lesson 
1. Flash the BIOS 
2. Use a BIOS password 
3. Configure the BIOS boot order 
4. Disable the external ports and devices 
5. Enable the secure boot option 


O O O0 0 0 


Securing Storage Devices 
o Removable media comes in many different formats 
= You should always encrypt files on removable media 


o Removable media controls 
= Technical limitations placed on a system in regards to the utilization of 
USB storage devices and other removable media 
= Create administrative controls such as policies 
o Network Attached Storage (NAS) 
= Storage devices that connect directly to your organization’s network 
= NAS systems often implement RAID arrays to ensure high availability 
o Storage Area Network (SAN) 
= Network designed specifically to perform block storage functions that 
may consist of NAS devices 
= 1. Use data encryption 
= 2. Use proper authentication 
= 3, Log NAS access 
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Disk Encryption 
o Encryption scrambles data into unreadable information 
o Self-Encrypting Drive (SED) 
= Storage device that performs whole disk encryption by using embedded 


hardware 
o Encryption software is most commonly used 
= FileVault 
= BitLocker 


o Trusted Platform Module (TPM) 
= Chip residing on the motherboard that contains an encryption key 
= If your motherboard doesn’t have TPM, you can use an external 
USB drive as a key 
o Advanced Encryption Standard 
= Symmetric key encryption that supports 128-bit and 256-bit keys 
o Encryption adds security but has lower performance 
o Hardware Security Module (HSM) 
= Physical devices that act as a secure cryptoprocessor during the 
encryption process 


Endpoint analysis 
o Anti-virus (AV) 
= Software capable of detecting and removing virus infections and (in most 
cases) other types of malware, such as worms, Trojans, rootkits, adware, 
spyware, password crackers, network mappers, DoS tools, and others 
o Host-based IDS/IPS (HIDS/HIPS) 
= A type of IDS or IPS that monitors a computer system for unexpected 
behavior or drastic changes to the system's state on an endpoint 
o Endpoint Protection Platform (EPP) 
= A software agent and monitoring system that performs multiple security 
tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption 
o Endpoint Detection and Response (EDR) 
= A software agent that collects system data and logs for analysis by a 
monitoring system to provide early detection of threats 
o User and Entity Behavior Analytics (UEBA) 
= A system that can provide automated identification of suspicious activity 
by user 
accounts and computer hosts 
= UEBA solutions are heavily dependent on advanced computing 
techniques like artificial intelligence (Al) and machine learning 
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= Many companies are now marketing advanced threat protection (ATP), 
advanced endpoint protection (AEP), and NextGen AV (NGAV) which is a 
hybrid of EPP, EDR, and UEBA 


Mobile Device Security 


Mobile Device Security 
Securing Wireless Devices 
o WiFi Protected Access 2 (WPA2) is the highest level of wireless security 
o AES 
= Advanced Encryption Standard 
o Bluetooth pairing creates a shared link key to encrypt the connection 
o Wired devices are almost always more secure than wireless ones 


Mobile Malware 
o Ensure your mobile device is patched and updated 
Only install apps from the official App Store or Play Store 
Do not jailbreak/root device 
Don’t use custom firmware or a custom ROM 
Only load official store apps 
Always update your phone’s operating system 


O00 0 0 


SIM Cloning & ID Theft 
o Subscriber Identity Module (SIM) 
= Integrated circuit that securely stores the international mobile subscriber 
identity (IMSI) number and its related key 
o SIM Cloning 
= Allows two phones to utilize the same service and allows an attacker to 
gain access to the phone’s data 
= SIM v1 cards were easy to clone but newer SIM v2 cards are much harder 
= Be careful with where you post phone numbers 


Bluetooth Attacks 
o Bluejacking 
=" Sending of unsolicited messages to Bluetooth-enabled devices 
o Bluesnarfing 
= Unauthorized access of information from a wireless device over a 
Bluetooth connection 
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o Bluejacking sends information to a device 
o Bluesnarfing takes information from a device 


Mobile Device Theft 
o Always ensure your device is backed up 
o Don’t try to recover your device alone if it is stolen 
o Remote Lock 
= Requires a PIN or password before someone can use the device 
o Remote Wipe 
= Remotely erases the contents of the device to ensure the information is 
not recovered by the thief 


Security of Apps 
o Only install apps from the official mobile stores 
o TLS 
= Transport Layer Security 
o Mobile Device Management 
= Centralized software solution that allows system administrators to create 
and enforce policies across its mobile devices 
o Turn location services off to ensure privacy 
o Geotagging 
= Embedding of the geolocation coordinates into a piece of data (i.e., a 
photo) 
o Geotagging should be considered when developing your organization’s 
security policies 


Bring Your Own Device 
o BYOD introduces a lot of security issues to consider 
o Storage Segmentation 
= Creating a clear separation between personal and company data on a 
single device 
o Mobile Device Management 
= Centralized software solution for remote administration and 
configuration of mobile devices 
o CYOD 
=" Choose Your Own Device 
o MDM can prevent certain applications from being installed on the device 
o Ensure your organization has a good security policy for mobile devices 


Hardening Mobile Devices 
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. Update your device to the latest version of the software 
. Install AntiVirus 

. Train users on proper security and use of the device 

. Only install apps from the official mobile stores 

Do not root or jailbreak your devices 

. Only use v2 SIM cards with your devices 

. Turn off all unnecessary features 

. Turn on encryption for voice and data 

. Use strong passwords or biometrics 

0. Don’t allow BYOD 

nsure your organization has a good security policy for mobile devices 
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Hardening 


Hardening 
o Hardening 
= Act of configuring an operating system securely by updating it, creating 
rules and policies to govern it, and removing unnecessary applications 
and services 
o Weare not guaranteed security, but we can minimize the risk... 
o Mitigate risk by minimizing vulnerabilities to reduce exposure to threats 


Unnecessary Applications 
o Least Functionality 
= Process of configuring workstation or server to only provide essential 
applications and services 
o Personal computers often accumulate unnecessary programs over time 
o Utilize a secure baseline image when adding new computers 
o SCCM 
=" Microsoft’s System Center Configuration Management 


Restricting Applications 
o Application Whitelist 
= Only applications that are on the list are allowed to be run by the 
operating system while all other applications are blocked 
o Application Blacklist 
= Any application placed on the list will be prevented from running while all 
others will be permitted to run 
o Whitelisting and blacklisting can be centrally managed 


Unnecessary Services 
o Any services that are unneeded should be disabled in the OS 


Trusted Operating Systems 
o Trusted Operating System (TOS) 
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An operating system that meets the requirements set forth by 
government and has multilevel security 

= Windows 7 (and newer) 

= Mac OSX 10.6 (and newer) 

= FreeBSD (TrustedBSD) 

= Red Hat Enterprise Server 

o You need to identify the current version and build prior to updating a system 

Updates and Patches 


o Patches 
= A single problem-fixing piece of software for an operating system or 
application 
o Hotfix 
= A single problem-fixing piece of software for an operating system or 
application 


o Patches and Hotfixes are now used interchangeably by most manufacturers 
o Categories of Updates 
= Security Update 
e Software code that is issued for a product-specific security-related 
vulnerability 
= Critical Update 
e Software code for a specific problem addressing a critical, non- 
security bug in the software 
=" Service Pack 
e Atested, cumulative grouping of patches, hotfixes, security 
updates, critical updates, and possibly some feature or design 
changes 
= Windows Update 
e Recommended update to fix a noncritical problem that users have 
found, as well as to provide additional features or capabilities 
= Driver Update 
e Updated device driver to fix a security issue or add a feature to a 
supported piece of hardware 
= Windows 10 uses the Windows Update program (wuapp.exe) to manage 
updates 


Patch Management 
o Patch Management 
= Process of planning, testing, implementing, and auditing of software 
patches 
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Planning 
Testing 
Implementing 
Auditing 


Verify it is compatible with your systems and plan for how you will test and 


deploy it 


O 00 0 


Always test a patch prior to automating its deployment 

Manually or automatically deploy the patch to all your clients to implement it 
Large organizations centrally manage updates through an update server 
Disable the wuauserv service to prevent Windows Update from running 


automatically 
o Itis important to audit the client’s status after patch deployment 
o Linux and OSX also have built-in patch management systems 


e Group Policies 


o Group Policy 


O O 


O O 


A set of rules or policies that can be applied to a set of users or computer 
accounts within the operating system 

Access the Group Policy Editor by opening the Run prompt and enter 
gpedit 

Password complexity 

Account lockout policy 

Software restrictions 

Application restrictions 


Active Directory domain controllers have a more advanced Group Policy Editor 
Security Template 


A group of policies that can be loaded through one procedure 


Group Policy objectives (GPOs) aid in the hardening of the operating system 
Baselining 


Process of measuring changes in the network, hardware, 
and software environment 
A baseline establishes what is normal so you can find deviations 


e File Systems and Hard Drives 
o Level of security of a system is affected by its file system type 


NTFS 
FAT32 
ext4 
HFS+ 
APFS 
27 
https://www.DionTraining.com © 2022 v1.2 


Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA certification products. All rights reserved. 


e J T l IN CompTIA Security+ (Study Notes) 


oO 


Windows systems can utilize NTFS or FAT32 
o NTFS 
= New Technology File System is the default file system format for 
Windows and is more secure because it supports logging, encryption, 
larger partition sizes, and larger file sizes than FAT32 
o Linux systems should use ext4 and OSX should use the APFS 
All hard drives will eventually fail 
= 1. Remove temporary files by using Disk Cleanup 
= 2. Periodic system file checks 
= 3, Defragment your disk drive 
= 4. Back up your data 
=» 5. Use and practice restoration techniques 
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Supply Chain Assessment 


Secure working in an unsecure environment involves mitigating the risks of the supply 
chain 
An organization must ensure that the operation of every element (hardware, firmware, 
driver, OS, and application) is consistent and tamper resistant to establish a trusted 
computing environment 
o Due Diligence 
= A legal principle identifying a subject has used best practice or reasonable 
care when setting up, configuring, and maintaining a system 
e Properly resourced cybersecurity program 
e Security assurance and risk management processes 
e Product support life cycle 
e Security controls for confidential data 
e Incident response and forensics assistance 
e General and historical company information 
= Due diligence should apply to all suppliers and contractors 
o Trusted Foundry 
= A microprocessor manufacturing utility that is part of a validated supply 
chain (one where hardware and software does not deviate from its 
documented function) 
= Trusted Foundry Program is operated by the Department of Defense 
(DoD) 
o Hardware Source Authenticity 
= The process of ensuring that hardware is procured tamper-free from 
trustworthy suppliers 
= Greater risk of inadvertently obtaining counterfeited or compromised 
devices when purchasing from second-hand or aftermarket sources 


Root of Trust 
o Hardware Root of Trust (ROT) 
= A cryptographic module embedded within a computer system that can 
endorse trusted execution and attest to boot settings and metrics 
= A hardware root of trust is used to scan the boot metrics and OS files to 
verify their signatures, which we can then use to sign a digital report 
o Trusted Platform Module (TPM) 
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= A specification for hardware-based storage of digital certificates, keys, 
hashed passwords, and other user and platform identification 
information 
A TPM can be managed in Windows via the tom.msc console or through 
group policy 
o Hardware Security Module (HSM) 
= An appliance for generating and storing cryptographic keys that is less 
susceptible to tampering and insider threats than software-based storage 
o Anti-Tamper 
= Methods that make it difficult for an attacker to alter the authorized 
execution of software 
= Anti-tamper mechanisms include a field programmable gate array (FPGA) 
and a physically unclonable function (PUF) 


Trusted Firmware 
o A firmware exploit gives an attacker an opportunity to run any code at the 
highest level of CPU privilege 


= Unified Extensible Firmware Interface (UEFI) 

e A type of system firmware providing support for 64-bit CPU 
operation at boot, full GUI and mouse operation at boot, and 
better boot security 

=" Secure Boot 

e A UEFI feature that prevents unwanted processes from executing 
during the boot operation 

= Measured Boot 

e A UEFI feature that gathers secure metrics to validate the boot 
process in an attestation report 

= Attestation 

e Aclaim that the data presented in the report is valid by digitally 
signing it using the TPM’s private key 

=  eFUSE 

e A means for software or firmware to permanently alter the state 
of a transistor on a computer chip 

= Trusted Firmware Updates 

e A firmware update that is digitally signed by the vendor and 
trusted by the system before installation 

=  Self-Encrypting Drives 
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e Adisk drive where the controller can automatically encrypt data 
that is written to it 
e Secure Processing 
o A mechanism for ensuring the confidentiality, integrity, and availability of 
software code and data as it is executed in volatile memory 
o Processor Security Extensions 
= Low-level CPU changes and instructions that enable secure processing 
e AMD 
o Secure Memory Encryption (SME) 
Secure Encrypted Virtualization (SEV) 
e Intel 
o Trusted Execution Technology (TXT) 
Software Guard Extensions (SGX) 
o Trusted Execution 
= The CPU's security extensions invoke a TPM and secure boot attestation 
to ensure that a trusted operating system is running 
o Secure Enclave 
= The extensions allow a trusted process to create an encrypted container 
for sensitive data 
o Atomic Execution 
= Certain operations that should only be performed once or not at all, such 
as initializing a memory location 
o Bus Encryption 
= Data is encrypted by an application prior to being placed on the data bus 
= Ensures that the device at the end of the bus is trusted to decrypt the 
data 
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Virtualization 


Virtualization 
o Virtualization 
= Creation of a virtual resource 
o Avirtual machine is a container for an emulated computer that runs an entire 
operating system 
o VM Types 
= System Virtual Machine 
e Complete platform designed to replace an entire physical 
computer and includes a full desktop/server operating system 
= Processor Virtual Machine 
e Designed to only run a single process or application like a 
virtualized web browser or a simple web server 
o Virtualization continues to rise in order to reduce the physical requirements 
for data centers 


Hypervisors 
o Hypervisor 
=" Manages the distribution of the physical resources of a host machine 
(server) to the virtual machines being run (guests) 


Type | Type Il 


Guest VM Guest VM Guest VM Guest VM 


Hypervisor 
(VM Ware, VirtualBox, Parallels, ...) 


Hypervisor 
(Hyper-V, ESXi, XenServer, ...) 
Host Operating Systems 
(Windows, Linux, or OSX) 


Physical Hardware Physical Hardware 
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= Type | (bare metal) hypervisors are more efficient than Type II 
o Container-based 
= Application Containerization 
e A single operating system kernel is shared across multiple virtual 
machines but each virtual machine receives its own user space for 
programs and data 
e Containerization allows for rapid and efficient deployment 
of distributed applications 
o Docker 
o Parallels Virtuozzo 
o OpenVZ 


Threats to VMs 
o VMs are separated from other VMs by default 
o VM Escape 
= An attack that allows an attacker to break out of a normally isolated VM 
by interacting directly with the hypervisor 
= Elasticity allows for scaling up or down to meet user demands 
o Data Remnants 
= Contents of a virtual machine that exist as deleted files on a cloud-based 
server after deprovisioning of a virtual machine 
o Privilege Elevation 
= Occurs when a user is able to grant themselves the ability to run 
functions as a higher-level user 
o Live migration occurs when a VM is moved from one physical server to another 
over the network 


Securing VMs 
o Uses many of the same security measures as a physical server 
= Limit connectivity between the virtual machine and the host 
= Remove any unnecessary pieces of virtual hardware from the virtual 
machine 
= Using proper patch management is important to keeping your guest’s 
operating system secure 
o Virtualization Sprawl 
= Occurs when virtual machines are created, used, and deployed without 
proper management or oversight by the system admins 
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Application Security 


e Application Security 


e Web Browser Security 
o Ensure your web browser is up-to-date with patches... 
= but don’t adopt the newest browser immediately 
o Which web browser should I use? 
o General Security for Web Browsers 
=" 1. Implement Policies 
e Create and implement web browsing policies as an administrative 
control or technical control 
= 2. Train Your Users 
e User training will prevent many issues inside your organization 
= 3. Use Proxy & Content Filter 
e Proxies cache the website to reduce requests and bandwidth 
usage 
e Content filters can be used to blacklist specific websites or entire 
categories of sites 
= 4, Prevent Malicious Code 
e Configure your browsers to prevent ActiveX controls, Java applets, 
JavaScript, Flash, and other active content 


e Web Browser Concerns 


o Cookies 
= Text files placed on a client’s computer to store information about the 


user’s browsing habits, credentials, and 
other data 
o Locally Shared Object (LSO) 
= Also known as Flash cookies, they are stored in your Windows user 
profile under the Flash folder inside of your AppData folder 
o Add-Ons 
= Smaller browser extensions and plugins that provide additional 
functionality to the browser 
o Advanced Security Options 
= Browser configuration and settings for numerous options such as SSL/TLS 
settings, local storage/cache size, browsing history, and much more 
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e Securing Applications 
o Use passwords to protect the contents of your documents 
o Digital signatures and digital certificates are used by MS Outlook for email 
security 
o User Account Control 
= Prevents unauthorized access and avoid user error in the form of 
accidental changes 
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Secure Software Development 


e Software Development 
o SDLC 
= Software Development Life Cycle 
=" SDLC is an organized process of developing a secure application 
throughout the life of the project 


‘Waterfall-Model 


Project 
Planning 
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SDLC Phases 


Planning and Analysis 
Software/Systems Design 
Implementation 

Testing 

Integration 


Deployment 


Maintenance 


o Agile 
= Software development is performed in time-boxed or small increments to 
allow more adaptivity to change 
o DevOps 
= Software development and information technology operations 


SDLC Principles 
o Developers should always remember confidentiality, integrity, and availability 
= Confidentiality 
e Ensures that only authorized users can access the data 


= Integrity 
e Ensures that the data is not modified or altered without 
permission 
= Availability 
e Ensuring that data is available to authorized users when it is 
needed 


o Threat modeling helps prioritize vulnerability identification and patching 
o Least Privilege 
= Users and processes should be run using the least amount of access 
necessary to perform a given function 
o Defense in Depth 
= Layering of security controls is more effective and secure than relying on 
a single control 
o Never Trust User Input 
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= Any input that is received from a user should undergo input validation 
prior to allowing it to be utilized by an application 
o Minimize Attack Surface 
= Reduce the amount of code used by a program, eliminate unneeded 
functionality, and require authentication prior to running additional 
plugins 
o Create Secure Defaults 
= Default installations should include secure configurations instead of 
requiring an administrator or user to add in additional security 
o Authenticity and Integrity 
= Applications should be deployed using code signing to ensure the 
program is not changed inadvertently or maliciously prior to delivery to 
an end user 
o Fail Securely 
= Applications should be coded to properly conduct error handling for 
exceptions in order to fail securely instead of crashing 
o Fix Security Issues 
= If a vulnerability is identified then it should be quickly and correctly 
patched to remove the vulnerability 
o Rely on Trusted SDKs 
= SDKs must come from trusted source to ensure no malicious code is 
being added 


Testing Methods 
o System Testing 
= Black-box Testing 
e Occurs when a tester is not provided with any information about 
the system or program prior to conducting the test 
= White-box Testing 
e Occurs when a tester is provided full details of a system including 
the source code, diagrams, and user credentials in order to 
conduct the test 
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Gray Box 


o Structured Exception Handling (SEH) 

= Provides control over what the application should do when faced with a 

runtime or syntax error 

o Programs should use input validation when taking data from users 

= Input Validation 

e Applications verify that information received from a user matches 
a specific format or range of values 
= Example 
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get $ssn 


if ($ssn >=000-00-0000 and 
$ssn <= 999-99-9999) 


then [do function] 


else [conduct error handling] 


o Static Analysis 
= Source code of an application is reviewed manually or with automatic 
tools without running the code 
o Dynamic Analysis 
= Analysis and testing of a program occurs while it is being executed or run 
o Fuzzing 
= Injection of randomized data into a software program in an attempt to 
find system failures, memory leaks, error handling issues, and improper 
input validation 


Software Vulnerabilities and Exploits 
o Backdoors 
= Code placed in computer programs to bypass normal authentication and 
other security mechanisms 
= Backdoors are a poor coding practice and should not be utilized 
o Directory Traversal 
= Method of accessing unauthorized directories by moving through the 
directory structure on a remote server 


o Arbitrary Code Execution 
= Occurs when an attacker is able to execute or run commands 
on a victim computer 
o Remote Code Execution (RCE) 
= Occurs when an attacker is able to execute or run commands 
on a remote computer 
o Zero Day 


40 
https://www.DionTraining.com © 2022 v1.2 


Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA certification products. All rights reserved. 


RJ ra l wi CompTIA Security+ (Study Notes) 


= Attack against a vulnerability that is unknown to the original developer or 
manufacturer 


e Buffer Overflows 


o Buffer Overflow 
= Occurs when a process stores data outside the memory range allocated 


by the developer 


o Buffer 
= A temporary storage area that a program uses to store data 


= Over 85% of data breaches were caused by a buffer overflow 
o Example 


Phone Number 


955-1234 


Example of an 8-digit Buffer (A) 
A SIS ee e232 4 
01 2 3 4 5 6 7 


5955-1234 


What happens if we try to enter a number that is too long? 


Phone Number 


410-555-1234 


Example of an 8-digit Buffer (A) 
Ame | Qe Sos: |S | £2 
012 3 4 5 6 7 
Example of an 8-digit Buffer (B) 
B| 3 | 4 
01 2 3 4 5 6 7 


410-555-1234 
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o Let’s get technical... 
= Stack 
e Reserved area of memory where the program saves the return 
address when a function call instruction is received 


Bottom of 
Memory 


Buffer 2 
Local Variable 2 | Buffer is Overwritten 
with Attackers Code 
New Code 
Fill (/bin/sh) 
Direction 
New Pointer 
to exec code 


Function Call 
Arguments 


Return Pointer is 
Overwritten 


Top of B 
Memory 


= “Smash the Stack” 
e Occurs when an attacker fills up the buffer with NOP so that the 
return address may hit a NOP and continue on until it finds the 


attacker’s code to run 
Oxbfxxxx0c 


0x90909090 


NOP Slide 


0x90909090 
Oxbfxxxxfc 


Shellcode 


= Address Space Layout Randomization 

e Method used by programmers to randomly arrange the different 
address spaces used by a program or process to prevent buffer 
overflow exploits 

o Buffer overflows attempt to put more data into memory than it is designed to 
hold 
42 
https://www.DionTraining.com © 2022 v1.2 


Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA certification products. All rights reserved. 


e J T l IN CompTIA Security+ (Study Notes) 


XSS and XSRF 
o Cross-Site Scripting (XSS) 
= Occurs when an attacker embeds malicious scripting commands ona 
trusted website 
Stored/Persistent 
e Attempts to get data provided by the attacker to be saved on the 
web server by the victim 
= Reflected 
e Attempts to have a non-persistent effect activated by a victim 
clicking a link on the site 
= DOM-based 
e Attempt to exploit the victim’s web browser 
= Prevent XSS with output encoding and proper input validation 
o Cross-Site Request Forgery (XSRF/CSRF) 
= Occurs when an attacker forces a user to execute actions on a web server 
for which they are already authenticated 
= Prevent XSRF with tokens, encryption, XML file scanning, and cookie 
verification 


SQL Injection 
o SQL Injection 
= Attack consisting of the insertion or injection of an SQL query via input 
data from the client to a web application 
o Injection Attack 
= Insertion of additional information or code through data input from a 
client to an application 


e SQL 

e HTML 
e XML 
e LDAP 


= Most common type is an SQL injection 
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o How does a normal SQL request work? 


fay jason 


Login Login 


Login Login 


= SQL injection is prevented through input validation and using least 
privilege when accessing a database 
= If you see ` OR 1=1; on the exam, it’s an SQL injection 


XML Vulnerabilities 
o XML data submitted without encryption or input validation is vulnerable to 
spoofing, request forgery, and injection of arbitrary code 
= XML Bomb (Billion Laughs Attack) 
e XML encodes entities that expand to exponential sizes, consuming 
memory on the host and potentially crashing it 
= XML External Entity (XXE) 
e An attack that embeds a request for a local resource 
e To prevent XML vulnerabilities from being exploited, use proper 
input validation 
Race Conditions 
o A software vulnerability when the resulting outcome from execution processes is 
directly dependent on the order and timing of certain events, and those events 
fail to execute in the order and timing intended by the developer 
o Arace condition vulnerability is found where multiple threads are attempting to 
write a variable or object at the same memory location 
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= Dereferencing 
e A software vulnerability that occurs when the code attempts to 
remove the relationship between a pointer and the thing it points 
to. 
e Race conditions are difficult to detect and mitigate 
e Race conditions can also be used against databases and file 
systems 
o Time of Check to Time of Use (TOCTTOU) 
= The potential vulnerability that occurs when there is a change between 
when an app checked a resource and when the app used the resource 


= How can you prevent race conditions and TOCTTOU? 
e Develop applications to not process things sequentially if possible 


e Implement a locking mechanism to provide app with exclusive 
access 


Design Vulnerabilities 
o Vulnerabilities often arise from the general design of the software code 
= Insecure Components 
e Any code that is used or invoked outside the main program 
development process 

o Code Reuse 

o Third-party Library 

o Software Development Kit (SDK) 


= Insufficient Logging and Monitoring 
e Any program that does not properly record or log detailed enough 
information for an analyst to perform their job 
e Logging and monitoring must support your use case and answer 
who, what, when, where, and how 
= Weak of Default Configurations 
e Any program that uses ineffective credentials or configurations, or 
one in which the defaults have not be changed for security 
e Many applications choose to simply run as root or as a local admin 
e Permissions may be too permissive on files or directories due to 
weak configurations 
o BEST PRACTICE: Utilize scripted installations and baseline configuration 
templates to secure applications during installation 
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Network Design 


e Network Security 
o OSI Model 


Voto 


link, 


99 


O; 


o Ifyou never learned network fundamentals, go back and review 


e OSI Model 
o OSI Model 
= Used to explain network communications between a host and remote 
device over a LAN or WAN 
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Bottom 
Physical 
Data Link 
Network 
Transport 
Session 
Presentation 


Away Application 


Top 


Physical Layer 
= Represents the actual network cables and radio waves used to carry data 
over a network 
= Bits 
Data Link Layer 
= Describes how a connection is established, maintained, and transferred 
over the physical layer and uses physical addressing (MAC addresses) 
= Frames 
Network Layer 
= Uses logical address to route or switch information between hosts, the 
network, and the internetworks 
= Packets 
Transport Layer 
= Manages and ensures transmission of the packets occurs from a host to a 
destination using either TCP or UDP 
= Segments (TCP) or Datagrams (UDP) 
Session Layer 
= Manages the establishment, termination, and synchronization of a 
session over the network 
Presentation Layer 
= Translates the information into a format that the sender and receiver 
both understand 
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o Application Layer 
= Layer from which the message is created, formed, and originated 
= Consists of high-level protocols like HTTP, SMTP, and FTP 


e Switches 
o Switches are the combined evolution of hubs and bridges 
o MAC Flooding 
= Attempt to overwhelm the limited switch memory set aside to store the 
MAC addresses for each port 
= Switches can fail-open when flooded and begin to act like a hub 
o MAC Spoofing 
= Occurs when an attacker masks their own MAC address to pretend they 
have the MAC address of another device 
= MAC Spoofing is often combined with an ARP spoofing attack 
= Limit static MAC addresses accepted 
= Limit duration of time for ARP entry on hosts 
= Conduct ARP inspection 
o Physical Tampering 
= Physical tampering occurs when an attacker attempts to gain physical 


access 
e Routers 
o Routers operate at Layer 3 
o Routers 


= Used to connect two or more networks to form an internetwork 

= Routers rely on a packet’s IP Addresses to determine the proper 
destination 

= Once on the network, it conducts an ARP request to find final destination 

o Access Control List 

= An ordered set of rules that a router uses to decide whether to permit or 
deny traffic based upon given characteristics 

= |P Spoofing is used to trick a router’s ACL 


e Network Zones 
o Any traffic you wish to keep confidential crossing the internet should use a 
VPN 
o De-Militarized Zone (DMZ) 
= Focused on providing controlled access to publicly available servers that 
are hosted within your organizational network 
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= Sub-zones can be created to provide additional protection for some 
servers 
o Extranet 


=" Specialized type of DMZ that is created for your partner organizations to 
access over a wide area network 
o Intranets are used when only one company is involved 


Jumpbox 
o Internet-facing Host 
= Any host that accepts inbound connections from the internet 
o Demilitarized Zone (DMZ) 
= A segment isolated from the rest of a private network by one or more 
firewalls that accepts connections from the Internet over designated 
ports 
= Everything behind the DMZ is invisible to the outside network 
o Bastion Hosts 
= Hosts or servers in the DMZ which are not configured with any services 
that run on the local network 
= To configure devices in the DMZ, a jumpbox is utilized 
o Jumpbox 
= A hardened server that provides access to other hosts within the DMZ 
=" An administrator connects to the jumpbox and the jumpbox 
connects to hosts in the DMZ 
= The jumpbox and management workstation should only have the 
minimum required software to perform their job and be well hardened 


Network Access Control 
o Network Access Control (NAC) 
= Security technique in which devices are scanned to determine its current 
state prior to being allowed access onto a given network 
= If a device fails the inspection, it is placed into digital quarantine 
o Persistent Agents 
= A piece of software that is installed on the device requesting access to 
the network 
o Non-Persistent Agents 
= Uses a piece of software that scans the device remotely or is installed and 
subsequently removed after the scan 
o NAC can be used as a hardware or software solution 
o IEEE 802.1x standard is used in port-based NAC 
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@ 


o Segment the network 

o Reduce collisions 

o Organize the network 

o Boost performance 

o Increase security 

o Switch Spoofing 
= Attacker configures their device to pretend it is a switch and uses it to 

negotiate a trunk link to break out of a VLAN 

o Double Tagging 
= Attacker adds an additional VLAN tag to create an outer and inner tag 
= Prevent double tagging by moving all ports out of the default VLAN group 


Subnetting 

o Subnetting 

= Act of creating subnetworks logically through the manipulation of IP 
addresses 

= Efficient use of IP addresses 
= Reduced broadcast traffic 
= Reduced collisions 
= Compartmentalized 

o Subnet’s policies and monitoring can aid in the security of your network 


Network Address Translation 
o Network Address Translation (NAT) 
= Process of changing an IP address while it transits across a router 
=" Using NAT can help us hide our network IPs 
o Port Address Translation (PAT) 
= Router keeps track of requests from internal hosts by assigning them 
random high number ports for each request 


o Class A 

= 10.0.0.0 to 10.255.255.255 
o Class B 

= 172.16.0.0 to 172.31.255.255 
o ClassC 


= 192.168.0.0 to 192.168.255.255 


Telephony 
o Telephony 
= Term used to describe devices that provide voice communication to users 
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o Modem 
= A device that could modulate digital information into an analog signal for 
transmission over a standard dial-up phone line 
o War Dialing 
= Protect dial-up resources by using the callback feature 
o Public Branch Exchange (PBX) 
= Internal phone system used in large organizations 
o Voice Over Internet Protocol (VoIP) 
= Digital phone service provided by software or hardware devices over a 
data network 
o Quality of Service (QoS) 
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Perimeter Security 


Perimeter Security 
o Perimeter Security 
= Security devices focused on the boundary between the LAN and the WAN 
in your organization’s network 
= Perimeter security relies on several different devices 


Firewalls 
o Firewalls screen traffic between two portions of a network 
=" Software 
= Hardware 
= Embedded 
o Packet Filtering 
= Inspects each packet passing through the firewall and accepts or rejects it 
based on the rules 
=" Stateless Packet Filtering 
=  Stateful packet filtering tracks the requests leaving the network 
o NAT Filtering 
= Filters traffic based upon the ports being utilized and type of connection 
(TCP or UDP) 
o Application-layer gateway conducts an in-depth inspection based upon the 
application being used 
o Circuit-Level gateway 
= Operates at the session layer and only inspects the traffic during the 
establishment of the initial session over TCP or UDP 
o MAC Filtering 
o Explicit Allow 
= Traffic is allowed to enter or leave the network because there is an ACL 
rule that specifically allows it 
= Example: allow TCP 10.0.0.2 any port 80 
o Explicit Deny 
= Traffic is denied the ability to enter or leave the network because there is 
an ACL rule that specifically denies it 
= Example: deny TCP any any port 23 
o Implicit Deny 
= Traffic is denied the ability to enter or leave the network because there is 
no specific rule that allows it 
= Example: deny TCP any any port any 
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o Most operate at Layer 3 (blocking IP addresses) and Layer 4 (blocking ports) 
o Web Application Firewall 
= Firewall installed to protect your server by inspecting traffic being sent to 
a web application 
= A WAF can prevent a XSS or SQL injection 


e Proxy Server 
o Proxy Server 
= A device that acts as a middle man between a device and a remote server 
= IP Proxy 
e |P Proxy is used to secure a network by keeping its machines 
anonymous during web browsing 
= Caching Proxy 
e Attempts to serve client requests by delivering content from itself 
without actually contacting the remote server 
e Disable Proxy Auto-Configuration (PAC) files for security 
= Internet Content Filter 
e Used in organizations to prevent users from accessing prohibited 
websites and other content 
= Web Security Gateway 
e Ago-between device that scans for viruses, filters unwanted 
content, and performs data loss prevention functions 


e Honeypots and Honeynets 
o Honeypots and honeynets are used to attract and trap potential attackers 
o Honeypot 
= A single computer (or file, group of files, or IP range) that might be 
attractive to an attacker 
o Honeynet 
= A group of computers, servers, or networks used to attract an attacker 
o Honeypots are normally used in security research 


e Data Loss Prevention 
o Data Loss Prevention 
=" Systems designed to protect data by conducting content inspection of 
data being sent out of the network 
= Also called Information Leak Protection (ILP) or Extrusion Prevention 
Systems (EPS) 
= DLP is used to ensure your private data remains secure 
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e NIDS vs NIPS 
o Network Intrusion Detection Systems 
= Attempts to detect, log, and alert on malicious network activities 
= NIDS use promiscuous mode to see all network traffic on a segment 
o Network Intrusion Prevention Systems 
= Attempts to remove, detain, or redirect malicious traffic 
= NIPS should be installed in-line of the network traffic flow 
= Should a NIPS fail open or fail shut? 
= NIPS can also perform functions as a protocol analyzer 


e Unified Threat Management 
o Relying on a firewall is not enough 
o Unified Threat Management 
= Combination of network security devices and technologies to provide 
more defense in depth within a single device 
= UTM may include a firewall, NIDS/NIPS, content filter, anti-malware, DLP, 
and VPN 
=" UTM is also known as a Next Generation Firewall (NGFW) 
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e Cloud Computing 
o Cloud Computing 
= Away of offering on-demand services that extend the traditional 
capabilities of a computer or network 
= Cloud computing relies on virtualization to gain efficiencies and cost 
savings 
o Hyperconvergence allows providers to fully integrate the storage, network, and 
servers 
o Virtual Desktop Infrastructure (VDI) 
= VDI allows a cloud provider to offer a full desktop operating system to an 
end user from a centralized server 
o Secure Enclaves and Secure Volumes 


e Cloud Types 
o Public Cloud 
= A service provider makes resources available to the end users over the 
Internet 


o Private Cloud 
= A company creates its own cloud environment that only it can utilize as 
an internal enterprise resource 
= A private cloud should be chosen when security is more important than 
cost 
o Hybrid 
o Community Cloud 
= Resources and costs are shared among several different organizations 
who have common service needs 


e Asa Service 
o Software as a Service (SaaS) 
= Provides all the hardware, operating system, software, and applications 
needed for a complete service to be delivered 
o Infrastructure as a Service (laaS) 
= Provides all the hardware, operating system, and backend software 
needed in order to develop your own software or service 
o Platform as a Service (PaaS) 
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= Provides your organization with the hardware and software needed for a 
specific service to operate 


laaS PaaS SaaS 


Application Application 


Runtime Runtime 


Tosa 


Middleware Middleware 


O/S O/S 
Virtualization Virtualization Virtualization 
Servers Servers Servers 
Storage Storage Storage 


Networking 


Coe) 


o Security as a Service (SECaaS) 
= Provides your organization with various types of security services without 
the need to maintain a cybersecurity staff 
= Anti-malware solutions were one of the first SECaaS products 


Networking Networking 


o Some solutions may not scan all the files on your system 
o Cloud-based vulnerability scans can better provide the attacker’s perspective 
o Your vulnerability data may be stored on the cloud provider’s server 
o Sandboxing 
= Utilizes separate virtual networks to allow security professionals to test 
suspicious or malicious files 
o Data Loss Prevention (DLP) 
o Continuous Monitoring 
o Access Control 
o Identity Management 
o Business Continuity 
o Disaster Recovery 


e Cloud Security 
o Collocated data can become a security risk 
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o Configure, manage, and audit user access to virtualized servers 
o Utilizing the cloud securely requires good security policies 
o Data remnants may be left behind after deprovisioning 


Defending Servers 
o File Servers 
= Servers are used to store, transfer, migrate, synchronize, and archive files 
for your organization 
o Email servers are a frequent target of attacks for the data they hold 
Web servers should be placed in your DMZ 
o FTP Server 
= A specialized type of file server that is used to host files for distribution 
across the web 
= FTP servers should be configured to require TLS connections 
o Domain Controller 
= A server that acts as a central repository of all the user accounts and their 
associated passwords for the network 
o Active Directory is targeted for privileged escalation and lateral movement 


O 


Cloud-based Infrastructure 
o Cloud-based infrastructure must be configured to provide the same level of 
security as a local solution 


Virtual Private Cloud (VPC) 

o A private network segment made available to a single cloud consumer within a 
public cloud 

o The consumer is responsible for configuring the IP address space and routing 
within the cloud 

o VPC is typically used to provision internet-accessible applications that need to be 
accessed from geographically remote sites 

o On-premise solutions maintain their servers locally within the network 

o Many security products offer cloud-based and on-premise versions 

o Consider compliance or regulatory limitations of storing data in a cloud-based 
security solution 

o Be aware of the possibility of vendor lock in 


CASB 
o Cloud Access Security Broker (CASB) 
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Enterprise management software designed to mediate access to cloud 
services by users across all types of devices 
e Single sign-on 
e Malware and rogue device detection 
e Monitor/audit user activity 
e Mitigate data exfiltration 
= Cloud Access Service Brokers provide visibility into how clients and other 
network nodes use cloud services 
e Forward Proxy 
o A security appliance or host positioned at the client 
network edge that forwards user traffic to the cloud 
network if the contents of that traffic comply with policy 
o WARNING: Users may be able to evade the proxy and 
connect directly 
e Reverse Proxy 
o An appliance positioned at the cloud network edge and 
directs traffic to cloud services if the contents of that 
traffic comply with policy 
o WARNING: This approach can only be used if the cloud 
application has proxy support 
e Application Programming Interface (API) 
o Amethod that uses the brokers connections between the 
cloud service and the cloud consumer 
o WARNING: Dependent on the API supporting the functions 
that your policies demand 
API 
o Application Programming Interface (API) 
= Alibrary of programming utilities used to enable software developers to 
access functions of another application 
= APIs allow for the automated administration, management, and 
monitoring of a cloud service 
o curl 
= A tool to transfer data from or to a server, using one of the supported 
protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP, 
FILE) 
FAAS and Serverless 
o Function as a Service (FAAS) 
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= Acloud service model that supports serverless software architecture by 
provisioning runtime containers in which code is executed in a particular 
programming language 
o Serverless 
= A software architecture that runs functions within virtualized runtime 
containers in a cloud rather than on dedicated server instances 
= Everything in serverless is developed as a function or microservice 
= Serverless eliminates the need to manage physical or virtual servers 
e No patching 
e No administration 
e No file system monitoring 
= The underlying architecture is managed by the cloud service provider 
= Ensure that the clients accessing the services have not been 
compromised 
= Serverless depends on orchestration 


Cloud Threats 
o Insecure Application Programming Interface (API) 
= WARNING: An API must only be used over an encrypted channel (HTTPS) 
= Data received by an API must pass service-side validation routines 
= Implement throttling/rate-limiting mechanisms to protect from a DoS 
o Improper Key Management 
= APIs should use secure authentication and authorization such as SAML or 
OAuth/OIDC before accessing data 
= WARNING: Do not hardcode or embed a key into the source code 
= Do not create one key with full control to access an application’s 
functions 
=" Delete unnecessary keys and regenerate keys when moving 
into a production environment 
o Insufficient Logging and Monitoring 
= WARNING: Software as a service may not supply access to log files or 
monitoring tools 
= Logs must be copied to non-elastic storage for long-term retention 
o Unprotected Storage 
= Cloud storage containers are referred to as buckets or blobs 
= WARNING: Access control to storage is administered through container 
policies, IAM authorizations, and object ACLs 
= Incorrect permissions may occur due to default read/write permissions 
leftover from creation 
= Incorrect origin settings may occur when using content delivery networks 
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o Cross Origin Resource Sharing (CORS) Policy 
= A content delivery network policy that instructs the browser to treat 
requests from nominated domains as safe 
= WARNING: Weak CORS policies expose the site to vulnerabilities like XSS 
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Workflow Orchestration 


e Orchestration 


(©) 
O 
O 


O 


The automation of multiple steps in a deployment process 
Orchestration is the automation of the automations 
Rapid elasticity in cloud computing would not be possible without orchestration 
= Resource Orchestration 
= Workload Orchestration 
= Service Orchestration 
Third-party orchestration platform is protection from vendor lock in 
= Chef 


= Puppet 
= Ansible 
= Docker 
= Kubernetes 
= GitHub 


Development 
Testing/Integration 
Staging 

Production 


Continuous Integration 
= A software development method where code updates are tested and 
committed to a development or build server/code repository rapidly 
= Continuous integration can test and commit updates multiple times per 
day 
= Continuous integration detects and resolves development conflicts early 
and often 
Continuous Delivery 
= A software development method where application and platform 
requirements are frequently tested and validated for immediate 
availability 
Continuous Deployment 
= A software development method where application and platform 
updates are committed to production rapidly 
= Continuous delivery focuses on automated testing of code in order to get 
it ready for release 
= Continuous deployment focuses on automated testing and release of 
code in order to get it into the production environment more quickly 
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DevSecOps 
o DevOps 


= An organizational culture shift that combines software development and 
systems operations by referring to the practice of integrating the two 
disciplines within a company 

Operations and developers can build, test, and release software faster 
and more reliably 

o DevSecOps 


A combination of software development, security operations, and 
systems operations by integrating each discipline with the others 
= DevSecOps utilizes a shift-left mindset 

e Integrate security from the beginning 

e Test during and after development 

e Automate compliance checks 


IAC 

o Infrastructure as Code (laC) 

= A provisioning architecture in which deployment of resources is 

performed by scripted automation and orchestration 
laC allows for the use of scripted approaches to provisioning 
infrastructure in the cloud 
Robust orchestration can lower overall IT costs, speed up deployments, 
and increase security 
o Snowflake Systems 


Any system that is different in its configuration compared to a standard 
template within an infrastructure as code architecture 
Lack of consistency leads to security issues and inefficiencies in support 
o Idempotence 
= A property of laC that an automation or orchestration action always 
produces the same result, regardless of the component's previous state 
= laC uses carefully developed and tested scripts and orchestration 
runbooks to generate consistent builds 


Machine Learning 
o Artificial Intelligence (Al) 
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= The science of creating machines with the ability to develop problem 
solving and analysis strategies without significant human direction 
or intervention 
o Machine Learning (ML) 
= A component of Al that enables a machine to develop strategies for 
solving a task given a labeled dataset where features have been manually 
identified but without further explicit instructions 
= Machine learning is only as good as the datasets used to train it 
o Artificial Neural Network (ANN) 
= An architecture of input, hidden, and output layers that can perform 
algorithmic analysis of a dataset to achieve outcome objectives 
= A machine learning system adjusts its neural network to reduce errors 
and optimize objectives 
o Deep Learning 
= Arefinement of machine learning that enables a machine to develop 
strategies for solving a task given a labeled dataset and without further 
explicit instructions 
= Deep learning uses complex classes of knowledge defined in relation to 
simpler classes of knowledge to make more informed determinations 
about an environment 
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Network Attacks 


Network Attacks 
o Denial of Service 
Spoofing 
Hijacking 
Replay 
Transitive Attacks 
DNS attacks 
ARP Poisoning 
Ports and protocols will be tested on the Security+ exam 


O O-O 0O 0 0 0 


Ports and Protocols 
o Port 
= A logical communication endpoint that exists on a computer or server 
o Inbound Port 
= A logical communication opening on a server that is listening for a 
connection from a client 
o Outbound Port 
= A logical communication opening created on a client in order to call out 
to a server that is listening for a connection 
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22 
51233 


IP: 46.124.63.13 
Port: 22 (inbound) 


./SSH 


l- 


IP: 192.168.1.45 
Port: 51233 (outbound) 


-13 


mM 
tO 
T 
N 
Lan. 


46 
192.168.1.45 


o Ports can be any number between 0 and 65,535 
o Well-Known Ports 
= Ports 0 to 1023 are considered well-known and are assigned by the 
Internet Assigned Numbers Authority (IANA) 
o Registered Ports 
= Ports 1024 to 49,151 are considered registered and are usually assigned 
to proprietary protocols 
o Dynamic or Private Ports 
= Ports 49,152 to 65,535 can be used by any application without being 
registered with IANA 


e Memorization of Ports 
o 65,536 ports are available for use 
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21 TCP FTP File Transfer Protocol is used to transfer files from host to host 

22 TCP/UDP SSH, SCP, SFTP | Secure Shell is used to remotely administer network devices and systems. SCP is used for 
secure copy and SFTP for secure FTP. 

23 TCP/UDP Telnet Unencrypted method to remotely administer network devices (should not be used) 

25 TCP SMTP Simple Mail Transfer Protocol is used to send email over the Internet 

53 TCP/UDP DNS Domain Name Service is used to resolve hostnames to IPs and IPs to hostnames 

69 UDP TFTP Trivial FTP is used as a simplified version of FTP to put a file on a remote host, or get a file 
from a remote host 

80 TCP HTTP Hyper Text Transfer Protocol is used to transmit web page data to a client for unsecured web 
browsing 

88 TCP/UDP Kerberos Used for network authentication using a system of tickets within a Windows domain 

110 TCP POP3 Post Office Protocol v3 is used to receive email from a mail server 

119 TCP NNTP Network News Transfer Protocol is used to transport Usenet articles 

135 TCP/UDP RPC/DCOM- Remote Procedure Call is used to located DCOM ports request a service from a program on 

scm another computer on the network 

137-139 NetBIOS NetBIOS is used to conduct name querying, sending of data, and other functions over a 

TCP/UDP NetBIOS connection 

143 TCP IMAP Internet Message Access Protocol is used to receive email from a mail server with more 
features than POP3 

161 UDP SNMP Simple Network Management Protocol is used to remotely monitor network devices 

162 TCP/UDP SNMPTRAP Used to send Trap and InformRequests to the SNMP Manager on a network 

389 TCP/UDP LDAP Lightweight Directory Access Protocol is used to maintain directories of users and other 
objects 

443 TCP HTTPS Hyper Text Transfer Protocol Secure is used to transmit web page data to a client over an 
SSL/TLS-encrypted connection 

445 TCP SMB Server Message Block is used to provide shared access to files and other resources ona 


network 
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465/587 TCP SMTP with Simple Mail Transfer Protocol used to send email over the Internet with an SSL and TLS 
SSL/TLS secured connection 
514 UDP Syslog Syslog is used to conduct computer message logging, especially for routers and firewall logs 
636 TCP/UDP LDAP SSL/TLS LDAP is used to maintain directories of users and other objects over an encrypted SSL/TLS 
connection 
860 TCP iSCSI iSCSI is used for linking data storage facilities over IP 
989/990 TCP FTPS File Transfer Protocol Secure is used to transfer files from host to host over an encrypted 
connection 
993 TCP IMAP4 with Internet Message Access Protocol is used to receive email from a mail server over an SSL/TLS- 
SSL/TLS encrypted connection 
995 TCP POP3 Post Office Protocol v3 is used to receive email from a mail server using an SSL/TLS-encrypted 
(SSL/TLS) connection 
1433 TCP Ms-sql-s Microsoft SQL server is used to receive SQL database queries from clients 
1645/1646 RADIUS Remote Authentication Dial-In User Service is used for authentication and authorization 
UDP (alternative) (1645) and accounting (1646) 
1701 UDP L2TP Layer 2 Tunnel Protocol is used as an underlying VPN protocol but has no inherent security 
1723 TCP/UDP | PPTP Point-to-Point Tunneling Protocol is an underlying VPN protocol with built-in security 
1812/1813 RADIUS Remote Authentication Dial-In User Service is used for authentication and authorization 
UDP (1812) and accounting (1813) 
3225 TCP/UDP | FCIP Fibre Channel IP is used to encapsulate Fibre Channel frames within TCP/IP packets 
3260 TCP iSCSI Target iSCSI Target is as the listening port for iSCSI-targeted devices when linking data storage 
facilities over IP 
3389 TCP/UDP | RDP Remote Desktop Protocol is used to remotely view and control other Windows systems via a 
Graphical User Interface 
3868 TCP Diameter A more advanced AAA protocol that is a replacement for RADIUS 
6514 TCP Syslog over It is used to conduct computer message logging, especially for routers and firewall logs, over 
TLS a TLS-encrypted connection 


e Unnecessary Ports 


(©) 
O 
(©) 


O O 


O 


65,536 ports available 
35 ports to memorize 
Unnecessary Port 
= Any port that is associated with a service or function that is non-essential 
to the operation of your computer or network 
Any open port represents a possible vulnerability that might be exposed 
Inbound Port 
= A logical communication opening on a server that is listening for a 
connection from a client 
C:\ net stop service 
# sudo stop service 


e Denial of Service 
o Denial of Service (DoS) 
= Term used to describe many different types of attacks which attempt to 
make a computer or server’s resources unavailable 


Flood Attacks 
Ping of Death 
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e Teardrop Attack 
e Permanent DoS 
e Fork Bomb 
o Flood Attack 
= A specialized type of DoS which attempts to send more packets to a 
single server or host than they can handle 


Server 


Flood of Requests 


o Ping Flood 
= An attacker attempts to flood the server by sending too many ICMP echo 
request packets (which are known as pings) 
o Smurf Attack 
= Attacker sends a ping to subnet broadcast address and devices reply to 
spoofed IP (victim server), using up bandwidth and processing 


69 
https://www.DionTraining.com © 2022 v1.2 


Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA certification products. All rights reserved. 


= =- ee |= 
— es es ~ m 
= 


E Server 
10.1.1.2 
Ping Request 
SRC IP: 10.1.1.2 Internet 


DEST IP: 
192.168.1.255 


192.168.1.0/24 => 
Subnet 


o Fraggle Attack 
= Attacker sends a UDP echo packet to port 7 (ECHO) and port 19 
(CHARGEN) to flood a server with UDP packets 
o SYN Flood 
= Variant on a Denial of Service (DOS) attack where attacker initiates 
multiple TCP sessions but never completes the 3-way handshake 


Internet 


SYN Request: 66.12.35.13 Server 


ee Ah M Ce 
SYN Request: 23.43.76.15 
INU 
SYN Request: 124.1.59.15 
SYN Request: 134.250.5.1 
n o 


SYN ACK to spoofed IPs 


= Flood guards, time outs, and an IPS can prevent SYN Floods 


o XMAS Attack 
= A specialized network scan that sets the FIN, PSH, and URG flags set and 
can cause a device to crash or reboot 
o Ping of Death 
= An attack that sends an oversized and malformed packet to another 
computer or server 
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o Teardrop Attack 
= Attack that breaks apart packets into IP fragments, modifies them with 
overlapping and oversized payloads, and sends them to a victim machine 
o Permanent Denial of Service 
= Attack which exploits a security flaw to permanently break a networking 
device by reflashing its firmware 
o Fork Bomb 
= Attack that creates a large number of processes to use up the available 
processing power of a computer 


DDoS 
o Distributed Denial of Service (DDoS) 
= A group of compromised systems attack simultaneously a single target to 
create a Denial of Service (DOS) 
o DNS Amplification 
= Attack which relies on the large amount of DNS information that is sent in 
response to a spoofed query on behalf of the victimized server 


Stopping a DDoS 
o GitHub suffered a 1.35 Tbps DDoS 
o Blackholing or Sinkholing 
= Identifies any attacking IP addresses and routes all their traffic to a non- 
existent server through the null interface 
o An IPS can prevent a small-scale DDoS 
o Specialized security services cloud providers can stop DDoS attacks 


Spoofing 
o Spoofing 
= Occurs when an attacker masquerades as another person by falsifying 
their identity 
= Anything that uniquely identifies a user or system can be spoofed 
= Proper authentication is used to detect and prevent spoofing 
Hijacking 
o Hijacking 


= Exploitation of a computer session in an attempt to gain unauthorized 
access to data, services, or other resources on a computer or server 
= Session theft 
= TCP/IP hijacking 
= Blind hijacking 
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= Clickjacking 
=  Man-in-the-Middle 
= Man-in-the-Browser 
= Watering hole 
= Cross-site scripting 
o Session Theft 
= Attacker guesses the session ID for a web session, enabling them to take 
over the already authorized session of the client 


Client Session ID z ABEDA31534CDA7648 


CE K 


EEN e 


CEJ 


Victim Session ID = ABEDA31534CDA7648 i 
oå! 


4534D N 


3 
_ EDA 
sesion D Server 


o TCP/IP Hijacking 
= Occurs when an attacker takes over a TCP session between two 
computers without the need of a cookie or other host access 
o Blind Hijacking 
= Occurs when an attacker blindly injects data into the communication 
stream without being able to see if it is successful or not 
o Clickjacking 
= Attack that uses multiple transparent layers to trick a user into clicking on 
a button or link on a page when they were intending to click on the 
actual page 
o Man-in-the-Middle (MITM) 
= Attack that causes data to flow through the attacker’s computer where 
they can intercept or manipulate the data 
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Attacke 
(67890) 


Transaction: 
Transfer $50 to 
ACCT 12345 


Transaction: 
Transfer $5000 
to ACCT 67890 


Client UE <> = 
(12345) — <a — E= = 
— HII 
Banking 
Server 


o Man-in-the-Browser (MITB) 


= Occurs when a Trojan infects a vulnerable web browser and modifies the 


web pages or transactions being done within the browser 
o Watering Hole 


= Occurs when malware is placed on a website that the attacker knows his 
potential victims will access 


e Replay Attack 
o Replay Attack 


Network-based attack where a valid data transmission is fraudulently or 
malicious rebroadcast, repeated, or delayed 
Multi-factor authentication can help prevent successful replay attacks 


e Transitive Attacks 
o Transitive Attacks aren’t really an attack but more of a conceptual method 


A=B=C 


Transitive Property 


o When security is sacrificed in favor of more efficient operations, additional risk 
exists 


e DNS Attacks 
o DNS Poisoning 
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Occurs when the name resolution information is modified in the DNS 
server’s cache 
If the cache is poisoned, then the user can be redirected to a malicious 
website 
o Unauthorized Zone Transfer 
= Occurs when an attacker requests replication of the DNS information to 
their systems for use in planning future attacks 
o Altered Hosts File 
= Occurs when an attacker modifies the host file to have the client bypass 
the DNS server and redirects them to an incorrect or malicious website 
= Windows stores the hosts file in the following directory: 


\%systemroot%\system 32\drivers\etc 
o Pharming 
= Occurs when an attacker redirects one website’s traffic to another 
website that is bogus or malicious 
o Domain Name Kiting 
= Attack that exploits a process in the registration process for a domain 
name that keeps the domain name in limbo and cannot be registered by 
an authenticated buyer 


ARP Poisoning 
o ARP Poisoning 
= Attack that exploits the IP address to MAC resolution in a network to 
steal, modify, or redirect frames within the local area network 
= Allows an attacker to essentially take over any sessions within the LAN 
= ARP Poisoning is prevented by VLAN segmentation and DHCP snooping 
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Securing Networks 


Securing Networks 
o Wired and wireless networks are vulnerable to attacks 


Securing Network Devices 
o Network devices include switches, routers, firewalls, and more 
o Default Accounts 
= Auser or administrator-level account that is installed on a device by the 
manufacturer during production 
o Weak Passwords 
= A password should be long, strong, and complex. This should require at 
least 14 characters with a mix of uppercase, lowercase, numbers, and 
special characters 
e password 


e PaSSworD 
e Pa55wOrd 
e P@S5wOrd 


o Privilege Escalation 
= Occurs when a user is able to gain the rights of another user or 
administrator 
= Vertical Privilege Escalation 
= Horizontal Privilege Escalation 
o Backdoor 
= Away of bypassing normal authentication in a system 
o An IPS, proper firewall configs, network segmentation, and firmware updates 
are the keys to having network security 


Securing Network Media 
o Network Media 
= Copper, fiber optic, and coaxial cabling used as the connectivity method 
in a wired network 
o Electromagnetic Interference (EMI) 
= A disturbance that can affect electrical circuits, devices, and cables due to 
radiation or electromagnetic conduction 
= EMI can be caused by TVs, microwaves, cordless phones, motors, and 
other devices 
= Shielding the cables (STP) or the source can minimize EMI 
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o Radio Frequency Interference (RFI) 
= A disturbance that can affect electrical circuits, devices, and cables due to 
AM/FM transmissions or cell towers 
= RFI causes more problems for wireless networks 
o Crosstalk 
= Occurs when a signal transmitted on one copper wire creates an 
undesired effect on another wire 
= UTP is commonly used more often than STP 
o Data Emanation 
= The electromagnetic field generated by a network cable or device when 
transmitting 
= A Faraday cage can be installed to prevent a room from emanating 
= Split the wires of a twisted-pair connection 
o Protected Distribution System (PDS) 
=" Secured system of cable management to ensure that the wired network 
remains free from eavesdropping, tapping, data emanations, and other 
threats 


Securing WiFi Devices 
o Service Set Identifier (SSID) 
= Uniquely identifies the network and is the name of the WAP used by the 
clients 
= Disable the SSID broadcast in the exam 
o Rogue Access Point 
= An unauthorized WAP or Wireless Router that allows access to the secure 
network 
o Evil Twin 
= A rogue, counterfeit, and unauthorized WAP with the same SSID as your 
valid one 


Wireless Encryption 

o Encryption of data in transit is paramount to security 
o Pre-Shared Key 

= Same encryption key is used by the access point and the client 
o Wired Equivalent Privacy 

= Original 802.11 wireless security standard that claims to be as secure as a 

wired network 

= WEP’s weakness is its 24-bit IV (Initialization Vector) 

o WiFi Protected Access (WPA) 
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= Replacement for WEP which uses TKIP, Message Integrity Check (MIC), 
and RC4 encryption 
= WPA was flawed, so it was replaced by WPA2 
o WiFi Protected Access version 2 (WPA2) 
= 802.11i standard to provide better wireless security featuring AES with a 
128-bit key, CCMP, and integrity checking 
= WPA2 is considered the best wireless encryption available 


If you are Look for the 


asked about... answer with... 


No security or 


Seel protection provided 


WEP IV 
WPA TKIP and RC4 
WPA2 CCMP and AES 


o If we make operations easier, then security is reduced 
o WiFi Protected Setup (WPS) 
= Automated encryption setup for wireless networks at a push of a button, 
but is severely flawed and vulnerable 
= Always disable WPS 
o Encryption and VPNs are always a good idea 


e Wireless Access Points 
o Wireless security also relies upon proper WAP placement 
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Omnidirectional Unidirectional 


Wireless B, G, and N use a 2.4 GHz signal 
Wireless A, N, and AC use a 5.0 GHz signal 
2.4 GHz signals can travel further than 5 GHz 
Jamming 
= Intentional radio frequency interference targeting your wireless network 
to cause a denial of service condition 
=" Wireless site survey software and spectrum analyzers can help identify 
jamming and interference 
o AP Isolation 
= Creates network segment for each client when it connects to prevent 
them from communicating with other clients on the network 


O O 0 0 


e Wireless Attacks 


o War Driving 
= Act of searching for wireless networks by driving around until you find 
them 


= Attackers can use wireless survey or open source attack tools 
o War Chalking 
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= Act of physically drawing symbols in public places to denote the open, 
closed, and protected networks in range 


SSID SSID SSID password 


bandwidth bandwidth bandwidth 


= War chalking digitally is becoming more commonplace 
o IV Attack 
= Occurs when an attacker observes the operation of a cipher being used 
with several different keys and finds a mathematical relationship 
between those keys to determine the clear text data 
= This happened with WEP and makes it easy to crack 
o WiFi Disassociation Attack 
= Attack that targets an individual client connected to a network, forces it 
offline by deauthenticating it, and then captures the handshake when it 
reconnects 
= Used as part of an attack on WPA/WPA2 
o Brute Force Attack 
= Occurs when an attacker continually guesses a password until the correct 
one is found 
= Brute force will always find the password...eventually! 


e WPA3 
o Wi-Fi Protected Access 3 (WPA3) was introduced in 2018 to strengthen WPA2 
o WPA3 has an equivalent cryptographic strength of 192-bits in WPA3 - Enterprise 
Mode 


o WPA3 - Enterprise Mode 
= Uses AES-256 encryption with a SHA-384 hash for integrity checking 
o WPA3 - Personal Mode 
= Uses CCMP-128 as the minimum encryption required for secure 
connectivity 
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= Largest improvement in WPA3 is the removal of the Pre-Shared Key (PSK) 
exchange 
o Simultaneous Authentication of Equals (SAE) 
= A secure password-based authentication and password-authenticated 
key agreement method 
= Simultaneous Authentication of Equals (SAE) provides forward secrecy 
o Perfect Forward Secrecy or Forward Secrecy 
= A feature of key agreement protocols (like SAE) that provides assurance 
that session keys will not be compromised even if long-term secrets used 
in the session key exchange are compromised 
e The AP and the client use a public key system to generate a pair of 
long-term keys 
e The AP and the client exchange a one-time use session key using a 
secure algorithm like Diffie-Hellman 
e The AP sends the client messages and encrypts them using the 
session key created in Step 2 
e Client decrypts the messages received using the same one-time 
use session key 
e The process repeats for every message being sent, starting at Step 
2 to ensure forward secrecy 
= This concept is a review of how key exchange protocols work from your 
Network+ studies 


Other Wireless Technologies 
o Bluejacking 
= Sending of unsolicited messages to Bluetooth-enabled devices such as 
mobile phones and tablets 
o Bluesnarfing 
= Unauthorized access of information from a wireless device through a 
Bluetooth connection 
Bluejacking sends information 
Bluesnarfing takes information 
Don’t allow Bluetooth devices to use default PINs for pairing 
Radio Frequency Identification (RFID) 
= Devices that use a radio frequency signal to transmit identifying 
information about the device or token holder 
= RFID can operate from 10 cm to 200 meters depending on the device 
o Near Field Communication (NFC) 


O 0 0 0 
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= Allows two devices to transmit information when they are within close 
range through automated pairing and transmission 
= NFC devices are operated within 4 cm from each other 
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Physical Security 


Physical Security 
o If an attacker can physically touch your devices, they can own your devices 


Surveillance 
o Closed Circuit TV (CCTV) 
o Pan Tilt Zoom (PTZ) 


Door Locks 
o Door locks can use keys, pins, wireless signals, or biometrics 
o Mantrap 


= Area between two doorways that holds people until they are identified 
and authenticated 


Biometric Readers 
o Biometrics 
= Relies on the physical characteristics of a person to identify them 
= Biometrics is considered “something you are” 
o False Acceptance Rate (FAR) 
= Rate that a system authenticates a user as authorized or valid when they 
should not have been granted access to the system 
o False Rejection Rate (FRR) 
= Rate that a system denies a user as authorized or valid when they should 
have been granted access to the system 
o Crossover Error Rate (CER) 
= An equal error rate (ERR) where the false acceptance rate and false 
rejection rate are equal 
= CER measures the effectiveness of a biometric system 
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Facilities Security 
e Facility Security 


e Fire Suppression 
o Fire Suppression 
= Process of controlling and/or extinguishing fires to protect an 
organization’s employees, data, equipment, and buildings 
o Handheld 
= Class A, B,C, D, K 


Ordinary combustibles : wood, paper, Flammable Liquids and Gases : 
rubber, fabrics, and many plastic gasoline, oils, paint, lacquer, and tar 


Fire involving Live Electrical Combustible metals or Combustible 
Equipment Metal Alloys 
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Fire in Cooking Appliance that involve 
Combustible Cooking Media : 


Vegetable or Animal Oils and Fats 


o Sprinklers 


=" Wet Pipe Sprinkler System 
e Pipes are filled with water all the way to the sprinkler head and 
are just waiting for the bulb to be melted or broken 
= Dry Pipe Sprinkler System 
e Pipes are filled with pressurized air and only push water into 
the pipes when needed to combat the fire 
= A pre-action sprinkler system will activate when heat or smoke is 
detected 
o Special Hazard Protection 
= Clean Agent System 
e Fire suppression system that relies upon gas (HALON, FM-200, or 
CO2) instead of water to extinguish a fire 
o If you hear a loud alarm in the server room... GET OUT! 


o HVAC 
= Heating, Ventilation, and Air Conditioning 
o Humidity should be kept around 40% 
o HVAC systems may be connected to ICS and SCADA networks 


Shielding 
o Shielded Twisted Pair (STP) adds a layer of shielding inside the cable 
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o Faraday Cage 


Shielding installed around an entire room that prevents electromagnetic 
energy and radio frequencies from entering or leaving the room 


o TEMPEST 


U.S. Government standards for the level of shielding required in a 
building to ensure emissions and interference cannot enter or exit the 
facility 

TEMPEST facilities are also resistant to EMPs (electromagnetic pulses) 


e Vehicular Vulnerabilities 
o Vehicles connect numerous subsystems over a controller area network (CAN) 


Controller Area Network (CAN) 
e A digital serial data communications network used within vehicles 
e The primary external interface is the Onboard Diagnostics (OBD-II) 
module 
e No concept of source addressing or message authentication in a 
CAN bus 
o Attach the exploit to OBD-II 
o Exploit over onboard cellular 
o Exploit over onboard Wi-Fi 


e loT Vulnerabilities 
o Internet of Things (loT) 


A group of objects (electronic or not) that are connected to the wider 
Internet by using embedded electronic components 

Most smart devices use an embedded version of Linux or Android as their 
OS 

Devices must be secured and updated when new vulnerabilities are 
found 


e Embedded System Vulnerabilities 
o Embedded Systems 


A computer system that is designed to perform a specific, dedicated 
function 

Embedded systems are considered static environments where frequent 
changes are not made or allowed 


Embedded systems have very little support for identifying and correcting 
security issues 


o Programmable Logic Controller (PLC) 
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= A type of computer designed for deployment in an industrial or outdoor 
setting that can automate and monitor mechanical systems 
= PLC firmware can be patched and reprogrammed to fix vulnerabilities 
o System-on-Chip (SoC) 
= A processor that integrates the platform functionality of multiple logical 
controllers onto a single chip 
= System-on-Chip are power efficient and used with embedded systems 
o Real-Time Operating System (RTOS) 
= A type of OS that prioritizes deterministic execution of operations to 
ensure consistent response for time-critical tasks 
= Embedded systems typically cannot tolerate reboots or crashes and must 
have response times that are predictable to within microsecond 
tolerances 
o Field Programmable Gate Array (FPGA) 
= A processor that can be programmed to perform a specific function by a 
customer rather than at the time of manufacture 
= End customer can configure the programming logic to run a specific 
application instead of using an ASIC 
(application-specific integrated circuit) 


e ICS and SCADA Vulnerabilities 


o Operational Technology (OT) 
= Acommunications network designed to implement an industrial control 
system rather than 
data networking 


= Industrial systems prioritize availability and integrity over confidentiality 


o Industrial Control Systems (ICS) 
= Anetwork that manages embedded devices 
= ICS is used for electrical power stations, water suppliers, health services, 
telecommunications, manufacturing, and defense needs 
o Fieldbus 
= Digital serial data communications used in operational technology 
networks to link PLCs 
o Human-Machine Interface (HMI) 
= Input and output controls on a PLC to allow a user to configure and 
monitor the system 
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= ICS manages the process automation by linking together PLCs using a 
fieldbus to make changes in the physical world (values, motors, etc) 
o Data Historian 
= Software that aggregates and catalogs data from multiple sources within 
an industrial control system 
o Supervisory Control and Data Acquisition (SCADA) 
= Atype of industrial control system that manages large-scale, 
multiple-site devices and equipment spread over geographic region 
= SCADA typically run as software on ordinary computers to gather data 
from and manage plant devices and equipment with embedded PLCs 
o Modbus 
= Acommunications protocol used in operational technology networks 
= Modbus gives control servers and SCADA hosts the ability to query and 
change the configuration of each PLC 


Mitigating Vulnerabilities 
o Four key controls for mitigating vulnerabilities in specialized system 
= Establish administrative control over Operational technology networks by 
recruiting staff with relevant expertise 
= Implement the minimum network links by disabling unnecessary links, 
services 
= Develop and test a patch management program for Operational 
Technology Network 
= Perform regular audits of logical and physical access to systems to detect 
possible vulnerabilities and intrusion 
o Warning: Enumeration tools and vulnerability scanners can cause problems on 
Operational Technology Network 


Premise System Vulnerabilities 


o Premise Systems 
= Systems used for building automation and physical access security 
=" Many system designs allow the monitoring to be accessible from the 
corporate data network or even directly from the Internet 
o Building Automation System (BAS) 
= Components and protocols that facilitate the centralized configuration 
and monitoring of mechanical and electrical systems within offices and 
data centers 
e Process and memory vulnerabilities in PLC 
e Plaintext credentials or keys in application code 
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e Code injection via web user interface 
= Denial of Service conditions could be caused by affecting building 
automation systems like HVAC 


o Physical Access Control System (PACS) 

= Components and protocols that facilitate the centralized configuration 
and monitoring of security mechanisms within 
offices and data centers 

= PACS can either be implemented as part of a building automation system 
or a separate system 

= WARNING: PACS are often installed and maintained by an external 
supplier and are therefore omitted from risk and vulnerability 
assessments by analysts 
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Authentication 


Authentication 
o Multi-factor Authentication 
= Use of two or more authentication factors to prove a user’s identity 
e Knowledge 
e Ownership 
e Characteristic 
e Location 
e Action 
= Username and password are only considered single-factor authentication 
o One-Time Passwords 
= Time-based One Time Password (TOTP) 
e A password is computed from a shared secret and current time 
=" HMAC-based One Time Password (HOTP) 
e A password is computed from a shared secret and is synchronized 
between the client and the server 


Authentication Models 
o Context-aware Authentication 
= Process to check the user’s or system’s attributed or characteristics prior 
to allowing it to connect 
= Restrict authentication based on the time of day or location 
o Single Sign-On (SSO) 
= A default user profile for each user is created and linked with all of the 
resources needed 
= Compromised SSO credentials cause a big breach in security 
o Federated Identity Management (FIdM) 
= A single identity is created for a user and shared with all of the 
organizations in a federation 
= Cross-Certification 
e Utilizes a web of trust between organizations where each one 
certifies others in the federation 
= Trusted Third-Party 
e Organizations are able to place their trust in a single third-party 
(also called the bridge model) 
e Trusted third-party model is more efficient than a cross 
certification or web of trust model 
= Security Assertion Markup Language (SAML) 
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e Attestation model built upon XML used to share federated 

identity management information between systems 
OpenID 

e Anopen standard and decentralized protocol that is used to 
authenticate users in a federated identity management system 

e User logs into an Identity Provider (IP) and uses their account at 
Relying Parties (RP) 

e OpenID is easier to implement than SAML 

e SAMLis more efficient than OpenID 


Standardized framework used for port-based authentication on wired 
and wireless networks 


= RADIUS 
= TACACS+ 
Authentication 
Supplicant Server 


802.1x Authentication 


—_—_——— 


Key Management Key Distribution 


Secured Data 


802.1x can prevent rogue devices 
o Extensible Authentication Protocol (EAP) 


A framework of protocols that allows for numerous methods of 
authentication including passwords, digital certificates, and public key 
infrastructure 

EAP-MD5 uses simple passwords for its challenge-authentication 
EAP-TLS uses digital certificates for mutual authentication 

EAP-TTLS uses a server-side digital certificate and a client-side password 
for mutual authentication 
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o EAP-FAST 


= Provides flexible authentication via secure tunneling (FAST) by using a 
protected access credential instead of a certificate for mutual 
authentication 

o Protected EAP (PEAP) 

= Supports mutual authentication by using server certificates and 

Microsoft’s Active Directory to authenticate a client’s password 
o LEAP is proprietary to Cisco-based networks 


e LDAP and Kerberos 
o Lightweight Directory Access Protocol (LDAP) 


= A database used to centralize information about clients and objects on 
the network 


= Unencrypted 


e Port 389 
= Encrypted 
e Port 636 


= Active Directory is Microsoft’s version 
o Kerberos 
An authentication protocol used by Windows to provide for two-way 
(mutual) authentication using a system of tickets 
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= Kerberos 
e Port 88 
= A domain controller can be a single point of failure for Kerberos 


e Remote Desktop Services 
o Remote Desktop Protocol (RDP) 
= Microsoft’s proprietary protocol that allows administrators and users to 
remotely connect to another computer via a GUI 
= RDP doesn’t provide authentication natively 
o Virtual Network Computing (VNC) 
= Cross-platform version of the Remote Desktop Protocol for remote user 


GUI access 
= VNC requires a client, server, and protocol be configured 
o RDP 
= Port 3389 
o VNC 
= Port 5900 


e Remote Access Services 
o Password Authentication Protocol (PAP) 
= Used to provide authentication but is not considered secure since it 
transmits the login credentials unencrypted (in the clear) 
o Challenge Handshake Authentication Protocol (CHAP) 
= Used to provide authentication by using the user’s password to encrypt a 
challenge string of random numbers 
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Send jason.dion 
unencrypted 
user ID D 
a3d1245f Send random 
Ap string 
Return hash of &@ 
random string 
and password 5a12f3c23 
Compare 
4) responses. 
á If correct, 
Login authenticate 


success! 


= Microsoft’s version of CHAP is MS-CHAP 
o PAP and CHAP used mostly with dial-up 


VPN 
o Virtual Private Network (VPN) 
= Allows end users to create a tunnel over an untrusted network and 
connect remotely and securely back into the enterprise network 
= Client-to-Site VPN or Remote Access VPN 
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o VPN Concentrator 
= Specialized hardware device that allows for hundreds of simultaneous 
VPN connections for remote workers 
o Split Tunneling 
= Aremote worker’s machine diverts internal traffic over the VPN but 
external traffic over their own internet connection 
= Prevent split tunneling through proper configuration and network 
segmentation 


e RADIUS and TACACS+ 
o Remote Authentication Dial-In User Service (RADIUS) 
= Provides centralized administration of dial-up, VPN, and wireless 
authentication services for 802.1x and the Extensible Authentication 
Protocol (EAP) 
= RADIUS operates at the application layer 


AAA 


Authentication, 
Authorization, 
and Accounting 


Authentication Authentication 


Port 1812 Port 1645 
Authorization Authorization 
Port 1813 Port 1646 

(Proprietary Variation) 


(Standard Ports) 


o Cisco’s TACACS+ is a proprietary version of RADIUS 
TACACS+ 


Port 49 (TCP) 
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Authentication Summary 
o 802.1x 
= |EEE standard that defines Port-based Network Access Control (PNAC) 
and is a data link layer authentication technology used to connected 
devices to a wired or wireless LAN 
o LDAP 
= Application layer protocol for accessing and modifying directory services 
data (Active Directory uses it) 
o Kerberos 
= Authentication protocol used in Windows to identify clients to a sever 
using mutual authentication (Uses tickets) 


o Remote Access Services (RAS) 
= Service that enables dial-up and VPN connections to occur from remote 
clients 
o Challenge Handshake Protocol (CHAP) 
= Authentication scheme that is used in dial-up connections 
o RADIUS 
= Centralization administration system for dial-up, VPN, and wireless 
authentication that uses either ports 1812/1813 (UDP) or 1645/1646 
(UDP) 
o TACACS+ 
=  Cisco’s proprietary version of RADIUS that provides separate 
authentication and authorization functions over port 49 (TCP) 


Authentication Attacks 
o Spoofing 
= A software-based attack where the goal is to assume the identity of a 
user, process, address, or other unique identifier 
o Man-in-the-Middle Attack 
= An attack where the attacker sits between two communicating hosts and 
transparently captures, monitors, and relays all communication between 
the hosts 
= Man-in-the-browser (MitB) is an attack that intercepts API calls between 
the browser process and its DLLs 
= Online password attacks involve entering guessing directly to a service 
= Restricting the number or rate of login attempts can prevent online 
password attacks 
o Password Spraying 
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= Brute force attack in which multiple user accounts are tested with a 
dictionary of common passwords 
o Credential Stuffing 
= Brute force attack in which stolen user account names and passwords are 
tested against multiple websites 
= Credential stuffing can be prevented by not reusing passwords across 
different websites 
o Broken Authentication 
= A software vulnerability where the authentication mechanism allows an 
attacker to gain entry 
e Weak password credentials 
e Weak password reset methods 
e Credential exposure 
e Session hijacking 
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Access Control 


e Access Control 
o Access Control 
= Methods used to secure data and information by verifying a user has 
permissions to read, write, delete, or otherwise modify it 
o Access Control Models 
= Discretionary Access Control (DAC) 
e The access control policy is determined by the owner 
e DAC is used commonly 
e 1. Every object in a system must have an owner 
e 2.Each owner determines access rights and permissions for each 
object 
= Mandatory Access Control (MAC) 
e An access control policy where the computer system determines 
the access control for an object 
e The owner chooses the permissions in DAC but in MAC, the 
computer does 
e MAC relies on security labels being assigned to every user (called 
a subject) and every file/folder/device or network connection 
(called an object) 
e Data labels create trust levels for all subjects and objects 
e To access something, you need to meet the minimum level and 
have a “need-to-know” 
e MAC is implemented through the Rule-based and the Lattice- 
based access control methods 
= Rule-based Access Control 
e Label-based access control that defines whether access should be 
granted or denied to objects by comparing the object label and 
the subject label 
= Lattice-based Access Control 
e Utilizes complex mathematics to create sets of objects and 
subjects to define how they interact 
e Mandatory Access Control is a feature in FreeBSD & SELinux 
e Only in high security systems due to its complex configuration 
=  Role-Based Access Control (RBAC) 
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e An access model that is controlled by the system (like MAC) but 
utilizes a set of permissions instead of a single data label to define 
the permission level 

e Power Users is a role-based permission 

=  Attribute-Based Access Control (ABAC) 

e An access model that is dynamic and context-aware using IF-THEN 
statements 

e If Jason is in HR, then give him access to \\fileserver\HR 


e Best Practices 
o Best Practices 
= The access control policy is determined by the owner 
= Best Practices for Access Control 
o Implicit Deny 
= All access to a resource should be denied by default and only be allowed 
when explicitly stated 
o Least Privilege 
= Users are only given the lowest level of access needed to perform their 
job functions 
= Does everyone in the company need to know employee salary data? 
o Separation of Duties 
= Requires more than one person to conduct a sensitive task or operation 
= Separation of duties can be implemented by a single user with a user and 
admin account 
o Job Rotation 
= Occurs when users are cycled through various jobs to learn the overall 
operations better, reduce their boredom, enhance their skill level, and 
most importantly, increase our security 
= Job rotation helps the employee become more well-rounded and learn 
new skills 
= Job rotation also helps the organization identify theft, fraud, and abuse of 
position 


e Users and Groups 
o Computers can have multiple users and groups 
= 1. Right-click on an empty area in the Users folder of ADUC and select 
Create New User 
= 2.Create a new user within the Organizational Unit (OU) within Active 
Directory 
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o User Rights 
= Permissions assigned to a given user 
o Groups 
= Collection of users based on common attributes (generally work roles) 
o Permissions in Windows 
= Permissions are broken down into Read, Write, and Execute inside Linux 
e Full Control 
e Modify 
e Read & Execute 
e List Folder Contents 


e Read 
e Write 
=" Permissions are assigned to Owners (U), Groups (G), and All Users (O or 
A) 
o chmod 


= Program in Linux that is used to change the permissions or rights of a file 
or folder using a shorthand number system 
o R (Read) =4 
W (Write) = 2 
X (Execute) = 1 
o # chmod 760 filename 
7 = Owner can RWX 
6 = Group can RW 
0 = All Users (no access) 
o 777 allows everyone to Read, Write, and Execute 
o Privilege Creep 
= Occurs when a user gets additional permission over time as they rotate 
through different positions or roles 
= Privilege creep violates the principles of least privilege 
o User Access Recertification 
= Process where each user’s rights and permissions are revalidated to 
ensure they are correct 
e Hired 
e Fired 
e Promoted 


e Permissions 
o Permissions are inherited by default from the parent when a new folder is 
created 
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o Any permissions added/removed from the parent folder will pass to the child 
by default too! 
o Propagation 
= Occurs when permissions are passed to a subfolder from the parent 
through inheritance 
o Use Groups for roles and do not assign users directly to a folder’s permissions 
o Review Note: CompTIA A+ 
o If you copy a folder, then permissions are inherited from the parent folder it is 
copied into 
o If you move a folder, then permissions are retained from its 
original permissions 


e Usernames and Passwords 
o first.last@yourcompany.com 
o Strong Passwords 
= Contain uppercase letters, lowercase letters, numbers, special characters, 
and at least 8 characters or more (preferably 14 or more) 
= 1. Always require the user to change the default password when the 
account is created 
= 2. Require that the password is changed frequently (every 90 days) 
= 3. Always change the default Administrator or Root password 
= 4. Disable the Guest account on your systems 
=» 5. Enable CTRL+ALT+DEL for logging into the system 
e Turn this on in the Advanced tab of the User Accounts dialogue 
box 
= 6. Use good, strong policies in regards to your passwords 


e User Account Control 
o User Account Control (UAC) 
= A security component in Windows that keeps every user in standard user 
mode instead of acting like an administrative user 


* Only exception is the Administrator account * 
= 1. Eliminates unnecessary admin-level requests for Windows resources 
= 2. Reduces risk of malware using admin-level privileges to cause system 
issues 
= UAC can be disabled from the Control Panel 
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Risk Assessments 


e Risk Assessments 
o Risk Assessments 
= A process used inside of risk management to identify how much risk 
exists in a given network or system 
o Risk 
= The probability that a threat will be realized 
o Vulnerabilities 
= Weaknesses in the design or implementation of a system 
o Threat 
= Any condition that could cause harm, loss, damage, or compromise to 
our information technology systems 
= Threats are external and beyond your control 


Vulnerability 


= What can we do about the threats we identified? 
o Risk management is used to minimize the likelihood of a negative outcome 
from occurring 

= Risk Avoidance 

e A strategy that requires stopping the activity that has risk or 
choosing a less risky alternative 

= Risk Transfer 

e Astrategy that passes the risk to a third party 
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= Risk Mitigation 
e Astrategy that seeks to minimize the risk to an acceptable level 
= Risk Acceptance 
e A strategy that seeks to accept the current level of risk and the 
costs associated with it if the risk were realized 


= Residual Risk 
e The risk remaining after trying to avoid, transfer, or mitigate the 
risk 
Identify assets 
Identify vulnerabilities 
Identify threats 
Identify the impact 


O 00 0 


e Qualitative Risk 
o Qualitative analysis uses intuition, experience, and other methods to assign a 
relative value to risk 
o Experience is critical in qualitative analysis 


e Quantitative Risk 
© Quantitative analysis uses numerical and monetary values to calculate risk 
o Quantitative analysis can calculate a direct cost for each risk 
o Magnitude of Impact 
= An estimation of the amount of damage that a negative risk might 
achieve 
= Single Loss Expectancy (SLE) 
e Cost associated with the realization of each individualized threat 
that occurs 


Asset Value x Exposure Factor 


SLE = AV x EF 
SLE = $10,000 x 20% 
SLE = $2,000 
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= Annualized Rate of Occurrence (ARO) 
e Number of times per year that a threat is realized 
= Annualized Loss Expectancy (ALE) 
e Expected cost of a realized threat over a given year 


ALE = SLE x ARO 


ALE = SLE x ARO ALE = SLE x ARO 
ALE = $2,000 x 3 ALE = $2,000 x 0.5 


ALE = $6,000 ALE = $1,000 


o If it costs $200,000 to build a server room that never loses power, then it 
would take 33 years to recover the building costs instead of losing power 3x 
year! 

o Hybrid approaches that combine quantitative and qualitative analysis are 
commonly used 


e Methodologies 
o Security Assessments 
= Verify that the organization’s security posture is designed and configured 
properly to help thwart different types of attacks 
= Assessments might be required by contracts, regulations, or laws 
= Assessments may be active or passive 
e Active Assessments 
o Utilize more intrusive techniques like scanning, hands-on 
testing, and probing of the network to determine 
vulnerabilities 
e Passive Assessments 
o Utilize open source information, the passive collection and 
analysis of the network data, and other unobtrusive 
methods without making direct contact with the targeted 
systems 
o Passive techniques are limited in the amount of detail they 
find 
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Security Controls 
o Security Controls 
= Methods implemented to mitigate a particular risk 
o Security controls are categorized as physical, technical, or administrative 
= Physical Controls 
e Any security measures that are designed to deter or prevent 
unauthorized access to sensitive information or the systems that 
contain it 
= Technical Controls 
e Safeguards and countermeasures used to avoid, detect, 
counteract, or minimize security risks to our systems and 
information 
= Administrative Controls 
e Focused on changing the behavior of people instead of removing 
the actual risk involved 
o NIST categories are management, operational, and technical 
= Management Controls 
e Security controls that are focused on decision-making and the 
management of risk 
= Operational Controls 
e Focused on the things done by people 
= Technical Controls 
e Logical controls that are put into a system to help secure it 
o Preventative, Detective, or Corrective controls 
= Preventative Controls 
e Security controls that are installed before an event happens and 
are designed to prevent something from occurring 
=" Detective Controls 
e Used during the event to find out whether something bad might 
be happening 
= Corrective Controls 
e Used after an event occurs 
o A single control can be categorized into multiple types or categories 
o Compensating Control 
= Used whenever you can’t meet the requirement for a normal control 
= Residual risk not covered by a compensating control is an accepted risk 


Types of Risks 
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o External Risk 
= Risks that are produced by a non-human source and are beyond human 
control 
o Internal Risk 
= Risks that are formed within the organization, arise during normal 
operations, and are often forecastable 
o Legacy Systems 
= An old method, technology, computer system, or application program 
which includes an outdated computer system still in use 
o Multiparty 
= Arisk that refers to the connection of multiple systems or organizations 
with each bringing their own inherent risks 
o IP Theft 
= Risk associated with business assets and property being stolen from an 
organization in which economic damage, the loss of a competitive edge, 
or a slowdown in business growth occurs 
o Software Compliance/Licensing 
= Risk associated with a company not being aware of what software or 
components are installed within its network 


105 
https://www.DionTraining.com © 2022 v1.2 


Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA certification products. All rights reserved. 


e J T l IN CompTIA Security+ (Study Notes) 


Vulnerability Management 


Vulnerability Management 
o Vulnerability Assessment 
= Seeks to identify any issues in a network, application, database, or other 
systems prior to it being used that might compromise the system 
= Defines, identifies, and classifies vulnerabilities within a system 
o Vulnerability Management 
= Practice of finding and mitigating the vulnerabilities in computers and 
networks 
o These 3 questions can help to scope your assessments 
= 1. What is the value of the information? 
= 2. What is the threat your system is facing? 
= 3. What is the mitigation that could be deployed? 
o Nessus, Qualysguard, and AlienVault are used for vulnerability assessments 
= 1. Define the desired state of security 
=" 2. Create a baseline 
= 3. Prioritize the vulnerabilities 
= 4, Mitigate vulnerabilities 
=» 5. Monitor the network and systems 
o Scan, Patch, Scan, ... 


Penetration Testing 
o Penetration tests look at a network’s vulnerabilities from the outside 
Metasploit and CANVAS are commonly used 
Get permission and document info 
Conduct reconnaissance 
Enumerate the targets 
Exploit the targets 
Document the results 
Vulnerability Assessment 
= Seeks to identify any issues in a network, application, database, or other 
systems prior to it being used that might compromise the system 
o Pivot 
= Occurs when an attacker moves onto another workstation or user 
account 
o Persistence 
= Ability of an attacker to maintain a foothold inside the compromised 
network 


O0o0000 0 0 


106 
https://www.DionTraining.com © 2022 v1.2 


Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA certification products. All rights reserved. 


6 J L l IN CompTIA Security+ (Study Notes) 


o Apentester can also simulate an insider threat 
Training and Exercises 
o Tabletop Exercise (TTX) 
= Exercise that uses an incident scenario against a framework of controls or 
ared team 
= A tabletop exercise is a discussion of simulated emergency situations and 
security incidents 
o Penetration Test 
= A test that uses active tools and security utilities to evaluate security by 
simulating an attack on a system to verify that a threat exists, actively 
test it, bypass security controls, and then finally exploit vulnerabilities on 
a given system 
e Test the system to discover vulnerabilities or prove security 
controls work 
e Examine the system to identify any logical weaknesses 
e Interview personnel to gather information 


o Apentest must be properly scoped and resourced before it can begin 
= Red Team 
e The hostile or attacking team in a penetration test or incident 
response exercise 
= Blue Team 
e The defensive team in a penetration test or incident response 
exercise 
= White Team 
e Staff administering, evaluating, and supervising a penetration test 
or incident response exercise 


OVAL 
o Open Vulnerability and Assessment Language (OVAL) 
= A standard designed to regulate the transfer of secure public information 
across networks and the Internet utilizing any security tools and services 
available 
= OVAL is comprised of a language and an interpreter 
o OVAL Language 
= An XML schema used to define and describe the information being 
created by OVAL to be shared among the various programs and tools 
o OVAL Interpreter 


107 
https://www.DionTraining.com © 2022 v1.2 


Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA certification products. All rights reserved. 


e J T l IN CompTIA Security+ (Study Notes) 


= A reference developed to ensure the information passed around by these 
programs complies with the OVAL schemas and definitions used by the 
OVAL language 
e Vulnerability Assessments 
o Vulnerability Assessment 
=  Baselining of the network to assess the current security state of 
computers, servers, network devices, and the entire network in general 
= Network Mapping 
e Discovery and documentation of physical and logical connectivity 
that exists in the network 
e Commercial and free network mapping software is available 
= Vulnerability Scanning 
e A technique that identifies threats on the network without 
exploiting them 
e Banner Grabbing 
o A technique used to gain information about servers and 
inventory the systems or services 
e Nessus and Qualysguard are commercial vulnerability scanners 
= Network Sniffing 
e The process of finding and investigating other computers on the 
network by analyzing the network traffic or capturing the packets 
being sent 
e Network sniffer, packet sniffing, and protocol analyzer can all 
conduct packet capture 
e Protocol Analyzer 
o Software tool that allows for the capture, reassembly, and 
analysis of packets from the network 
= Password Analysis 
e A tool used to test the strength of your passwords to ensure your 
password policies 
are being followed 
e Password Cracker 
o Uses comparative analysis 
to break passwords and systematically continues guessing 
until the password 
is determined 
o Cain & Abel and John the Ripper 
e Password Guessing 
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o Occurs when a weak password is simply figured out by a 
person 
e Dictionary Attack 
o Method where a program attempts to guess the 
password by using a list of possible passwords 
e Brute-Force Attack 
o Method where a program attempts to try every possible 
combination until it 
cracks the password 
e Increasing complexity exponentially increases the time required 
to brute-force a password 
e Cryptanalysis Attack 
o Comparing a precomputed encrypted password to a value 
in a lookup table 
e Rainbow Table 
o List of precomputed valued used to more quickly break a 
password since values don’t have to be calculated for each 
password being guessed 
e Rubber Hose Attack 
o Attempt to crack a password by threatening or causing a 
person physical harm in order to make them tell you the 
password 


Monitoring and Auditing 


Monitoring Types 
o Signature-based 
= Network traffic is analyzed for predetermined attack patterns 
o Anomaly-based 
= A baseline is established and any network traffic that is outside of the 
baseline is evaluated 
o Behavior-based 
= Activity is evaluated based on the previous behavior of applications, 
executables, and the operating system in comparison to the current 
activity of the system 
o Methods may be combined into a hybrid approach in some IDS/IPS systems 


Performance Baselining 
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TRAINING 


Baselining 
= Process of measuring changes in networking, hardware, software, and 
applications 


Baseline Reporting 

= Documenting and reporting on the changes in a baseline 
Security Posture 

= Risk level to which a system or other technology element is exposed 
Perfmon.exe is the Windows program for Performance Monitor 


e Protocol Analyzers 


O 
(©) 


e SNMP 


Protocol analyzers are used to capture and analyze network traffic 
Promiscuous Mode 
= Network adapter is able to capture all of the packets on the network, 
regardless of the destination MAC address of the frames carrying them 
Non-promiscuous Mode 
= Network adapter can only capture the packets directly addressed to itself 
To capture the most information, you need to be in promiscuous mode 
Port Mirroring 
= One or more switch ports are configured to forward all of their packets to 
another port on the switch 
If you cannot configure a SPAN port, then you can use a network tap 
= Network Tap 
e A physical device that allows you to intercept the traffic between 
two points on the network 


Simple Network Management Protocol (SNMP) 
= A TCP/IP protocol that aids in monitoring network-attached devices and 
computers 
= SNMP is incorporated into a network management and monitoring 
system 
Managed Devices 
= Computers and other network-attached devices monitored through the 
use of agents by a network management system 
Agents 
= Software that is loaded on a managed device to redirect information to 
the network management system 
Network Management System (NMS) 
= Software running on one or more servers to control the monitoring of 
network-attached devices and computers 
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o SNMP v1/v2 are insecure due to the use of community strings to access a 
device 
o SNMP v3 
= Version of SNMP that provides integrity, authentication, and encryption 
of the messages being sent over the network 
o Management should be conducted on an out-of-band network to increase 


security 
Auditing 
o Auditing 


= A technical assessment conducted on applications, systems, or networks 
= Auditing is a detective control 

e Security logs 

e ACLs 

e User rights/permissions 

e Group policies (GPOs) 

e Vulnerability scans 

e Written organizational policies 

e Interviewing personnel 
= Software tools are also used to help conduct audits 


Logging 
o Logs 
= Data files that contain the accounting and audit trail for actions 
performed by a user on a computer or network 
o Security, System, and Application logs should be audited on a Windows system 
=" Security Logs 
e Logs the events such as successful and unsuccessful user logins to 
the system 
= System Logs 
e Logs the events such as a system shutdown and driver failures 
= Application Logs 


111 
https://www.DionTraining.com © 2022 v1.2 


Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA certification products. All rights reserved. 


J T l IN CompTIA Security+ (Study Notes) 
e Logs the events for the operating system and third-party 
applications 
o To consolidate all the logs into a single repository, you can use SYSLOG 
= SYSLOG 


e Astandardized format used for computer message logging that 
allows for the separation of the software that generates 
messages, the system that stores them, and the software that 
reports and analyzes them 

e SYSLOG uses port 514 over UDP 


Log Files 
o Log files are important to your ability to reconstruct an event after it occurs 
o Log File Maintenance 
= Actions taken to ensure the proper creation and storage of a log file, such 
as the proper configuration, saving, back up, security, and encryption of 
the log files 
= Log files should be saved to a different partition or an external server 
o Overwrite Events 
= When a maximum log size is reached, the system can begin overwriting 
the oldest events in the log files to make room 
o Logs should be archived and backed up to ensure they are available when 
required 
o Write Once Read Many (WORM) 
= Technology like a DVD-R that allows data to be written only once but 
read unlimited times 


SIEM 
o Log review is a critical part of security assurance 


o SIEM 
= A solution that provides real-time or near-real-time analysis of security 
alerts generated by network hardware and applications 
e SIEM solutions can be implemented as software, hardware 
appliances, or outsourced managed services 
e Log all relevant events and filter irrelevant data 
e Establish and document scope of events 
e Develop use cases to define a threat 
e Plan incident response to an event 
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e Establish a ticketing process to track events 
e Schedule regular threat hunting 
e Provide auditors and analysts an evidence trail 
o There are many commercial and open-source SIEM solutions available 


o Splunk 
= A market-leading big data information gathering and analysis tool that 
can import machine-generated data via a connector or visibility add-on 
= Splunk may installed locally or as a cloud-based solution 
o ELK/Elastic Stack 
= Collection of free and open-source SIEM tools that provides storage, 
search, and analysis functions 
e Elasticsearch (query/analytics) 
e Logstash (log collection/normalization) 
e Kibana (visualization) 
e Beats (endpoint collection agents) 
= ELK Stack may installed locally or as a cloud-based solution 
o ArcSight 
= ASIEM log management and analytics software that can be used for 
compliance reporting for legislation and regulations like HIPPA, SOX, and 
PCI DSS 
o QRadar 
= ASIEM log management, analytics, and compliance reporting 
platform created by IBM 
= Alien Vault and OSSIM (Open-Source Security Information Management) 
= ASIEM solution originally developed by Alien Vault, now owned by AT&T, 
and rebranded as AT&T Cybersecurity 
= OSSIM can integrate other open-source tools, such as the Snort IDS and 
OpenVAS vulnerability scanner, and provide an integrated web 
administrative tool to manage the whole security environment 
o Graylog 
= An open-source SIEM with an enterprise version focused on compliance 
and supporting IT operations and DevOps 
Syslog 
o Syslog 
= A protocol enabling different appliances and software applications to 
transmit logs or event records to a central server 
= Syslog follows a client-server model and is the de facto standard for 
logging of events from distributed systems 
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Syslog runs on most operating systems and network equipment using 
Port 514 (UDP) over TCP/IP 

A syslog message contains a PRI code, a header, and a message portion 
A PRI code is calculated from the facility and severity level of the data 
A header contains the timestamp of the event and the hostname 

The message portion contains the source process of the event and 
related content 


= ORIGINAL DRAWBACK TO SYSLOG: 
e Since syslog relied on UDP, there can be delivery issues within 
congested networks 
e Basic security controls like encryption and authentication are not 
included by default within syslog 


o Due to these security issues, newer syslog implementations added new features 
and capabilities 
=" Newer implementations can use port 1468 (TCP) for consistent delivery 
= Newer implementations can use TLS to encrypt messages sent to servers 
= Newer implementations can use MD-5 or SHA-1 for authentication and 
integrity 
= Some newer implementations can use message filtering, automated log 
analysis, event response scripting, and alternate message formats 
o The newer version of the server is called syslog-ng or rsyslog 
o Syslog can refer to the protocol, the server, or the log entries themselves 


SOAR 
o Security Orchestration, Automation, and Response (SOAR) 
= Aclass of security tools that facilitates incident response, threat hunting, 
and security configuration by orchestrating automated runbooks and 
delivering data enrichment 
= SOAR is primarily used for incident response 
o Next-gen SIEM 
= A security information and event monitoring system with an integrated 
SOAR 
e Scans security/threat data 
e Analyze it with ML 
e Automate data enrichment 
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e Provision new resources 
o Playbook 
= Achecklist of actions to perform to detect and respond to a specific type 
of incident 
o Runbook 
= An automated version of a playbook that leaves clearly defined 
interaction points for human analysis 
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Cryptography 


e Cryptography 
o Cryptography 
= The practice and study of writing and solving codes in order to hide the 
true meaning of information 
o Encryption 
= Process of converting ordinary information (plaintext) into an 
unintelligible form (ciphertext) 
= Encryption protects data at rest, data in transit, or data in use 
e Data at Rest 
o Inactive data that is archived, such as data resident 
ona hard disk drive 
e Data in Transit 
o Data crossing the network or data that resides ina 
computer’s memory 
e Datain Use 
o Data that is undergoing constant change 


Cryptography is fun 


Pelcgbtencul vf sha 


= Encryption strength comes from the key, not the algorithm 
e Key 
o The essential piece of information that determines 
the output of a cipher 


e Symmetric vs Asymmetric 
o Symmetric Algorithm (Private Key) 
= Encryption algorithm in which both the sender and the receiver must 
know the same secret using a privately-held key 
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= Confidentiality can be assured with symmetric encryption 
=" Key distribution can be challenging with symmetric encryption 
= Symmetric Algorithms 
e DES, 3DES, IDEA, AES, Blowfish, Twofish, RC4, RC5, RC6 
o Asymmetric Encryption (Public Key) 
= Encryption algorithm where different keys are used to encrypt and 
decrypt the data 
= Asymmetric Algorithms 
e Diffie-Hellman, RSA, and ECC 
o Symmetric is 100-1000x faster than asymmetric 
o Hybrid Implementation 
= Utilizes asymmetric encryption to securely transfer a private key that can 
then be used with symmetric encryption 
o Stream Cipher 
= Utilizes a keystream generator to encrypt data bit by bit using a 
mathematical XOR function to create the ciphertext 
o Block Cipher 
= Breaks the input into fixed-length blocks of data and performs the 
encryption on each block 
= Block ciphers are easier to implement through a software solution 


Symmetric Algorithms 
o Symmetric Algorithms 
= DES, 3DES, IDEA, AES, Blowfish, Twofish, RC4, RCS, RC6 
o Data Encryption Standard (DES) 
= Encryption algorithm which breaks the input into 64-bit blocks and uses 
transposition and substitution to create ciphertext using an effective key 
strength of only 56-bits 
= DES used to be the standard for encryption 
o Triple DES (3DES) 
= Encryption algorithm which uses three separate symmetric keys to 
encrypt, decrypt, then encrypt the plaintext into ciphertext in order to 
increase the strength of DES 
o International Data Encryption Algorithm (IDEA) 
= Symmetric block cipher which uses 64-bit blocks to encrypt plaintext into 
ciphertext 
o Advanced Encryption Standard (AES) 
= Symmetric block cipher that uses 128-bit, 192-bit, or 256-bit blocks and a 
matching encryption key size to encrypt plaintext into ciphertext 
= AES is the standard for encrypting sensitive U.S. Government data 
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o Blowfish 


= Symmetric block cipher that uses 64-bit blocks and a variable length 
encryption key to encrypt plaintext into ciphertext 
o Twofish 
= Symmetric block cipher that replaced blowfish and uses 128-bit blocks 
and a 128-bit, 192-bit, or 256-bit encryption key to encrypt plaintext into 
ciphertext 
o Rivest Cipher (RC4) 
= Symmetric stream cipher using a variable key size from 40-bits to 2048- 
bits that is used in SSL and WEP 
o Rivest Cipher (RC5) 
= Symmetric block cipher with a key size up to 2048-bits 
o Rivest Cipher (RC6) 
= Symmetric block cipher that was introduced as a replacement for DES but 
AES was chosen instead 
o Exam Tips 
= RC4 is the only stream cipher covered 


e Public Key Cryptography 
o Asymmetric algorithms are also known as Public Key Cryptography 
= Confidentiality 
= Integrity 
= Authentication 
= Non-repudiation 
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Using Public Key Cryptography to ensure non-repudiation 


Plaintext Ciphertext Plaintext 
—— ——_—_> —————_ > 
Encryption Decryption 
SP íi f EA 
Jason Mary 
Jason’s Jason’s 
Private Key Public Key 


= Organizations want both confidentiality and non-repudiation 
o Digital Signature 
= A hash digest of a message encrypted with the sender’s private key to let 
the recipient know the document was created and sent by the person 
claiming to have sent it 
o PKI 
= Public Key Infrastructure 
o Exam Tips 
= Asymmetric encryption is also known as public key cryptography 
= Two keys are used in public key cryptography 


e Asymmetric Algorithms 
o Asymmetric Algorithms 
= Diffie-Hellman, RSA, and ECC 
o Diffie-Hellman (DH) 
= Used to conduct key exchanges and secure key distribution over an 
unsecured network 
= Diffie-Hellman is used for the establishment of a VPN tunnel using IPSec 
o RSA (Rivest, Shamir, and Adleman) 
= Asymmetric algorithm that relies on the mathematical difficulty of 
factoring large prime numbers 
= RSA is widely used for key exchange, encryption, and digital signatures 
= RSA can use key sizes of 1024-bits to 4096-bits 
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o Elliptic Curve Cryptography (ECC) 


Algorithm that is based upon the algebraic structure of elliptic curves 
over finite fields to define the keys 
ECC with a 256-bit key is just as secure as RSA with a 2048-bit key 
ECDH 

e Elliptic Curve Diffie-Hellman 
ECDHE 

e Elliptic Curve Diffie-Hellman Ephemeral 
ECDSA 

e Elliptic Curve Digital Signature Algorithm 
ECC is most commonly used for mobile devices and low-power computing 
device 


e Pretty Good Privacy 
o Pretty Good Privacy (PGP) 


An encryption program used for signing, encrypting, and decrypting 
emails 
The IDEA algorithm is used by PGP 


o Symmetric functions use 128-bit or higher keys and the asymmetric functions 
use 512-bit to 2048-bit key sizes 
o GNU Privacy Guard (GPG) 


A newer and updated version of the PGP encryption suite that uses AES 
for its symmetric encryption functions 
GPG has cross-platform availability 


e Key Management 
o Key Management 


Refers to how an organization will generate, exchange, store, and use 
encryption keys 


o The strength of an encryption system lies in the key strength 
o Keys must be securely stored 
o Periodically change your keys 


e One-Time Pad 


o One-Time Pad 


A stream cipher that encrypts plaintext information with a secret random 
key that is the same length as the plaintext input 


o There are no such thing as truly random numbers in computers 
o Pseudo-Random Number Generator (PRNG) 
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A simulated random number stream generated by a computer that is 
used in cryptography, video games, and more 


o One-time pads are not commonly used 


Steganography 
o Steganography 


The science and art of hiding messages within other messages 
Steganography is a form of obfuscation, not encryption 


Cryptography Considerations 
o Blockchain 


A shared, immutable ledger for recording transactions, tracking assets 
and building trust 
Most famous example of the blockchain is those used in cryptocurrencies 


o Public Ledger 


A record-keeping system that maintains participants’ identities in secure 
and anonymous form, their respective cryptocurrency balances, and a 
record book of all the genuine transactions executed between network 
participants 

A permissioned blockchain is used for business transactions and 
promotes new levels of trust and transparency using 

an immutable public ledger 


o Quantum Computing 


A computer that uses quantum mechanics to generate and manipulate 
quantum bits (qubits) in order to access enormous processing powers 


o Quantum Communication 


A communications network that relies on qubits made of photons (light) 
to send multiple combinations of 1s and Os simultaneously which results 
in tamper resistant and extremely fast communications 


o What is a qubit? 


A quantum bit composed of electrons or photons that can represent 
numerous combinations of 1s and Os at the same time through 
superposition 

Cryptography is used to secure our communications and data by relying 
on how difficult a math problem is to compute... 

Asymmetric encryption algorithms have been mathematically proven to 
be broken by quantum computers 


o Post-quantum Cryptography 
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= Anew kind of cryptographic algorithm that can be implemented using 
today’s classical computers but is also impervious to attacks 
from future quantum computers 
One method is to increase the key size to increase the number of 
permutations needed to be brute forced 
Researchers are working on a wide range of approaches, including lattice- 
based cryptography and supersingular isogeny key exchange 
o Ephemeral 
= A cryptographic key that is generated for each execution of a key 
establishment process 
= Ephemeral keys are short-lived and used in the key exchange for WPA3 
to create perfect forward secrecy 
o Homomorphic Encryption 
= An encryption method that allows calculations to be performed on data 
without decrypting it first 
= Homomorphic encryption can be used for privacy-preserving 
outsourced storage and computation 
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Hashing 


e Hashing 
o Hash 
= A one-way cryptographic function which takes an input and produces a 
unique message digest 
o Message Digest 5 (MD5) 
= Algorithm that creates a fixed-length 128-bit hash value unique to the 


input file 
o Collision 
= Condition that occurs when two different files create the same hash 
digest 


o Secure Hash Algorithm (SHA-1) 
= Algorithm that creates a fixed-length 160-bit hash value unique to the 
input file 
o Secure Hash Algorithm (SHA-2) 
= Family of algorithms that includes SHA-224, SHA-256, SHA-348, and 
SHA512 
o Secure Hash Algorithm (SHA-3) 
= Family of algorithms that creates hash digests between 224-bits and 512- 
bits 
o RACE Integrity Primitive Evaluation Message Digest (RIPEMD) 
= An open-source hash algorithm that creates a unique 160-bit, 256-bit, or 
320-bit message digest for each input file 
o Hash-based Message Authentication Code (HMAC) 
= Uses a hash algorithm to create a level of assurance as to the integrity 
and authenticity of a given message or file 
e HMAC-MD5 
e HMAC-SHA1 
e HMAC-SHA256 
e Digital signatures prevent collisions from being used to spoof the integrity of a message 
o Digital signatures use either DSA, RSA, ECDSA, or SHA 


o Code Signing 
= Uses digital signatures to provide an assurance that the software code 
has not been modified after it was submitted by the developer 
o LANMAN (LM Hash) 
= Original version of password hashing used by Windows that uses DES and 
is limited to 14 characters 
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o NTLAN Manager Hash (NTLM Hash) 
= Replacement for LM Hash that uses RC4 and was released with Windows 
NT 3.1 in 1993 
o NTLMv2 Hash 
= Replacement for NTLM Hash that uses HMAC-MDS5 and is considered 
difficult to crack 
= NTLMv2 is used when you do not have a domain with Kerberos for 
authentication 
o Exam Tips 
= Instantly match integrity and hashing on the exam 
= MDS and SHA are the most common hash functions used 


e Hashing Attacks 
o Pass the Hash 
= A technique that allows an attacker to authenticate to a remote server or 
service by using the underlying NTLM or LM hash instead of requiring the 
associated plaintext password 


Attacker 


= Pass the Hash is difficult to defend against 


= Mimikatz 
e A penetration testing tool used to automate the harvesting of 
hashes and conducting the Pass the Hash attack 
= Only use a trusted OS 
=  Patch/update workstations 
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= Use multifactor authentication 
= Use least privilege 
o Birthday Attack 
= Technique used by an attacker to find two different messages that have 
the same identical hash digest 
99% chance of finding a matching birthday in a 57-person group 
= 50% chance of finding a matching birthday in a 23-person group 
= Collision 
e Occurs when two different inputs to a hash create an identical 
hash digest output 


e Increasing Hash Security 
o Key Stretching 
= A technique that is used to mitigate a weaker key by increasing the time 
needed to crack it 
= WPA, WPA2, PGP, bcrypt, and other algorithms utilize key stretching 
o Salting 
= Adding random data into a one-way cryptographic hash to help protect 
against password cracking techniques 
= A “nonce” is used to prevent password reuse 
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Public Key Infrastructure 


e Public Key Infrastructure 
o Public Key Infrastructure (PKI) 
= Anentire system of hardware, software, policies, procedures, and people 
that is based on asymmetric encryption 


Using PKI to create a secure SSL/TLS tunnel 


S $ © 


Plaintext Ciphertext Plaintext 


Encryption Decryption 


f f DionTraining.com 
A?) AS) 


DionTraining’s DionTraining’s 
Public Key Private Key 


Using PKI to create a secure SSL/TLS tunnel 


HTTPS connection 


SSL or TLS-encrypted 
f f DionTraining.com 
AS AS 
Shared Secret Shared Secret 
Key (51363) Key (51363) 
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TRAINING 


PKI and public key encryption are related but they are not the same thing 
PKI is the entire system and just uses public key cryptography to function 


e Digital Certificates 


O 


O O O OOO0OOO 


Certificates 
= Digitally-signed electronic documents that bind a public key with a user’s 
identity 
X.509 
= Standard used PKI for digital certificates and contains the owner/user’s 
information and the certificate authority’s information 
Wildcard Certificates 
= Allow all of the subdomains to use the same public key certificate and 
have it displayed as valid 
= Wildcard certificates are easier to manage 
Subject Alternative Name (SAN) 
= Allows a certificate owner to specify additional domains and IP addresses 
to be supported 
Single-sided certificates only require the server to be validated 
=  Dual-sided certificates require both the server and the user to be 
validated 
X.690 uses BER, CER, and DER for encoding 
Basic Encoding Rules (BER) 
= The original ruleset governing the encoding of data structures for 
certificates where several different encoding types can be utilized 
Canonical Encoding Rules (CER) 
= A restricted version of the BER that only allows the use of only one 
encoding type 
Distinguished Encoding Rules (DER) 
= Restricted version of the BER which allows one encoding type and has 
more restrictive rules for length, character strings, and how elements of a 
digital certificate are stored in X.509 
PEM 
CER 
CRT 
KEY 
P12 
PFX 
P7B 
Privacy-enhanced Electronic Mail 
= pem, .cer, .crt, or .key 
Public Key Cryptographic System #12 (PKCS#12) 
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= .p12 

o Personal Information Exchange 
= pfx 

o Public Key Cryptographic Systems #7 (PKCS#7) 
= .p7b 


o Remember, these file types are associated with PKI 


e Certificate Authorities 
o Registration Authority 
= Used to verify information about a user prior to requesting that a 
certificate authority issue the certificate 
o Certificate Authority 
= The entity that issues certificates to a user 
= Verisign, Digisign, and many others act as Root CA 
o Certificate Revocation List (CRL) 
= An online list of digital certificates that the certificate authority has 
revoked 
o Online Certificate Status Protocol (OCSP) 
= A protocol that allows you to determine the revocation status of a digital 
certificate using its serial number 
o OCSP Stapling 
= Allows the certificate holder to get the OCSP record from the server at 
regular intervals and include it as part of the SSL or TLS handshake 
o Public Key Pinning 
= Allows an HTTPS website to resist impersonation attacks by presenting a 
set of trusted public keys to the user’s web browser as part of the HTTP 
header 
o Key Escrow and Key Recovery Agent 
= Key Escrow 
e Occurs when a secure copy of a user’s private key is held in case 
the user accidently loses their key 
= Key Recovery Agent 
e A specialized type of software that allows the restoration of a lost 
or corrupted key to be performed 
o AllofaCA’s certificates must be revoked if it is compromised 


e Web of Trust 
o Web of Trust 
= A decentralized trust model that addresses issues associated with the 
public authentication of public keys within a CA-based PKI system 
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= A peer-to-peer model 
= Certificates are created as self-signed certificates 
= Pretty Good Privacy (PGP) is a web of trust 
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Security Protocols 


Security Protocols 
o Emails 
o Websites 
o Remote control 
o Remote access 


S/MIME 
o Secure/Multipurpose Internet Mail Extensions (S/MIME) 
= A standard that provides cryptographic security for electronic messaging 


o Authentication 

o Integrity 

o Non-repudiation 

o S/MIME can encrypt emails and their contents ...including malware 
SSL and TLS 


o Secure Socket Layer (SSL) and Transport Layer Security (TLS) 
= Cryptographic protocols that provide secure Internet communications for 
web browsing, instant messaging, email, VoIP, and many other services 
= We already covered how TLS works in the PKI lesson 
o Downgrade Attack 
= A protocol is tricked into using a lower quality version of itself instead of 
a higher quality version 
o Break and Inspect 


SSH 
o Secure Shell (SSH) 
= A protocol that can create a secure channel between two computers or 
network devices to enable one device to control the other device 
= SSH requires a server (daemon) to be run on one device and a client on 


the other S S H 


Port 22 


= SSH 2.0 uses Diffie-Hellman key exchange and MACs 
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e VPN Protocols 
o Virtual Private Networks 
= A secure connection between two or more computers or device that are 
not on the same private network 
o Point-to-Point Tunneling Protocol (PPTP) 
= A protocol that encapsulates PPP packets and ultimately sends data as 
encrypted traffic 


PPTP 


Port 1723 


= PPTP can use CHAP-based authentication, making it vulnerable to attacks 
o Layer 2 Tunneling Protocol (L2TP) 
= Aconnection between two or more computers or device that are not on 
the same private network 
= L2TP is usually paired with IPSec to provide security 


L2TP 


Port 1701 
o IPSec 


= ATCP/IP protocol that authenticates and encrypts IP packets and 
effectively securing communications between computers and devices 
using this protocol 
=  |PSec provides confidentiality (encryption), integrity (hashing), and 
authentication (key exchange) 
o Internet Key Exchange (IKE) 
= Method used by IPSec to create a secure tunnel by encrypting the 
connection between authenticated peers 
Main 
Aggressive 
Quick 
Security Association (SA) 


O O O 0 
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Establishment of secure connections and shared security information 
using certificates or cryptographic keys 
o Authentication Header (AH) 
= Protocol used in IPSec that provides integrity and authentication 
o Encapsulating Security Payload (ESP) 
= Provides integrity, confidentiality, and authenticity of packets by 
encapsulating and encrypting them 
= Transport Mode 


e Host-to-host transport mode only uses encryption of the payload 
of an IP packet but not its header 
e Transport mode is used for transmission between hosts on a 
private network 
= Tunnel Mode 
e A network tunnel is created which encrypts the entire IP packet 
(payload and header) 


e Tunnel mode is commonly used for transmission between 
networks 
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Planning for the Worst 


e Planning for the Worst 
o Redundancy usually refers to when you have something extra or unnecessary 
o Redundancy helps ensure fault-tolerance to continue operations 
o Single Point of Failure 
= The individual elements, objects, or parts of a system that would cause 
the whole system to fail if they were to fail 


e Redundant Power 
o Redundant Power Supply 
= An enclosure that provides two or more complete power supplies 
= A redundant power supply mitigates a single point of failure 
o Surge 
= An unexpected increase in the amount of voltage provided 
o Spike 
= A short transient in voltage that can be due to a short circuit, tripped 
circuit breaker, power outage, or lightning strike 
o Sag 
= An unexpected decrease in the amount of voltage provided 
o Brownout 
= Occurs when the voltage drops low enough that it typically causes the 
lights to dim and can cause a computer to shut off 
o Blackout 
= Occurs when there is a total loss of power for a prolonged period 


e Backup Power 
o Uninterruptible Power Supply (UPS) 
= Combines the functionality of a surge protector with that of a battery 
backup 
o Backup Generator 
= An emergency power system used when there is an outage of the regular 
electric grid power 
= Portable gas-engine 
= Permanently installed 
= Battery-inverter 
o How do you decide which to use? 


e Data Redundancy 
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o Redundant Array of Independent Disks (RAID) 
= Allows the combination of multiple physical hard disks into a single logical 
hard disk drive that is recognized by the operating system 
o RAIDO 
= Provides data striping across multiple disks to increase performance 


RAID 0 


Disk 0 Disk 1 


o RAID1 
= Provides redundancy by mirroring the data identically on two hard disks 
RAID 1 
Disk 0 Disk 1 
o RAID5 
= Provides redundancy by striping data and parity data across the disk 
drives 
RAID 5 
Disk 0 Disk 1 Disk 2 Disk 3 
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o RAID6 
= Provides redundancy by striping and double parity data across the disk 
drives 
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RAID 6 


Disk 0 Disk 1 Disk 2 Disk 3 Disk 4 
o RAID 10 
= Creates a striped RAID of two mirrored RAIDs (combines RAID 1 & RAID 0) 


RAID 10 


o Fault-resistant RAID 
= Protects against the loss of the array’s data if a single disk fails (RAID 1 or 
RAID 5) 
o Fault-tolerant RAID 
= Protects against the loss of the array’s data if a single component fails 
(RAID 1, RAID 5, RAID 6) 
o Disaster-tolerant RAID 
= Provides two independent zones with full access to the data (RAID 10) 
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RAID 0+1 


o RAIDs provide redundancy and high-availability 


e Network Redundancy 
o Focused on ensuring that the network remains up 
o Redundant Internet connections 


e Server Redundancy 
o Cluster 
= Two or more servers working together to perform a particular job 
function 
o Failover Cluster 
= A secondary server can take over the function when the primary one fails 
o Load-balancing Cluster 
=" Servers are clustered in order to share resources such as CPU, RAM, and 
hard disks 


e Redundant Sites 
o Hot Site 
= A near duplicate of the original site of the organization that can be up 
and running within minutes 
o Warm Site 
= Asite that has computers, phones, and servers but they might require 
some configuration before users can start working 
o Cold Site 
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= Asite that has tables, chairs, bathrooms, and possibly some technical 
items like phones and network cabling 
o How do you choose the type of site? 


e Data Backup 
o Maintaining a good backup is crucial to disaster recovery 
o Full Backup 
= All of the contents of a drive are backed up 
o Incremental Backup 
= Only conducts a backup of the contents of a drive that have changed 
since the last full or incremental backup 
o Differential Backup 
= Only conducts a backup of the contents of a drive that has changed since 
the last full backup 


L 
tO 
| Day Type Day Type 


Sunday ( Full __} Sunday 


Monday Differential Monday 
Tuesday Tuesday 
Wednesday Failure Wednesday 
Thursday Thursday 
Friday Friday Failure 


= Differential backups take more time to create but less time to restore 


e Tape Rotation 
o 10Tape Rotation 
= Each tape is used once per day for two weeks and then the entire set is 
reused 
o Grandfather-Father-Son 
= Three sets of backup tapes are defined as the son (daily), the father 
(weekly), and the grandfather (monthly) 
o Towers of Hanoi 
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= Three sets of backup tapes (like the grandfather-father-son) that are 
rotated in a more complex system 


[Day ttt 


1 A 

2 B 

3 A 

4 Cc 
5 A 

6 B 

7 A 


o Snapshot Backup 
= Type of backup primarily used to capture the entire operating system 
image including all applications and data 
= Snapshots are also commonly used with virtualized systems 


e Disaster Recovery Planning 
o Disaster Recovery Planning 
= The development of an organized and in-depth plan for problems that 
could affect the access of data or the organization’s building 
e Fire 
e Flood 
e Long-term Power Loss 
e Theft or Attack 
e Loss of Building 
o Disaster Recovery Plan (DRP) should be written down 
= Contact Information 
= Impact Determination 
= Recovery Plan 
= Business Continuity Plan (BCP) 
= Copies of Agreements 
= Disaster Recovery Exercises 
= List of Critical Systems and Data 


e Business Impact Analysis 
o Business Impact Analysis (BIA) 
= A systematic activity that identifies organizational risks and determines 
their effect on ongoing, mission critical operations 
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= Business impact analysis is governed by metrics that express system 
availability 
o Maximum Tolerable Downtime (MTD) 
= The longest period of time a business can be inoperable without causing 
irrevocable business failure 
Each business process can have its own MTD, such as a range of minutes 
to hours for critical functions, 24 hours for urgent functions, or up to 7 
days for normal functions 
= MTD sets the upper limit on the recovery time that system and asset 
owners need to resume operations 
= If the power grid is out for more than 60 minutes, our primary internet 
connection via our cable provider dies 
= What is our MTD for our support services? 


o Recovery Time Objective (RTO) 
= The length of time it takes after an event to resume normal business 
operations and activities 
o Work Recovery Time (WRT) 
= The length of time in addition to the RTO of individual systems to 
perform reintegration and testing of a restored or upgraded system 
following an event 
o Recovery Point Objective (RPO) 
= The longest period of time that an organization can tolerate lost data 
being unrecoverable 
= Recovery Point Objective (RPO) is focused on how long can you be 
without your data 
= MTD and RPO help to determine which business functions are critical and 
to specify appropriate risk countermeasures 
=" Designing your disaster recovery and continuity of operations plans 
requires an understanding of your availability and reliability levels 
o Disasters can be caused by internal or external forces 
= Mean Time To Repair (MTTR) 
e Measures the average time it takes to repair a network device 
when it breaks 
= Mean Time Between Failures (MTBF) 
e Measures the average time between failures of a device 
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Social Engineering 


Social Engineering 
o Social Engineering 
= Manipulates a user into revealing confidential information that are 
detrimental to that user or the security of our systems 


Insider Threat 
o Most dangerous threat to organizational security 
o Insider Threat 
= Aperson who works for or with your organization but has ulterior 
motives 
= Employees who steal your information are insider threats 
= Data Loss Prevention systems can be used to help identify insider threats 


Phishing 
o Social Engineering 
= Anytime you are trying to deceive, lie, or trick the user into doing 


something 
o Phishing 
= An attempt to fraudulently obtain information from a user (usually by 
email) 


o Spear Phishing 
= An attempt to fraudulently obtain information from a user, usually by 
email that targets a specific individual 
o Whaling 
= A form of spear phishing that directly targets the CEO, CFO, CIO, CSO, or 
other high-value target in an organization 
o Smishing 
= Phishing conducted over text messaging (SMS) 
o Vishing 
= Phishing conducted over voice and phone calls 
o Pharming 
= Phishing attempt to trick a user to access a different 
or fake website (usually by modifying hosts file) 


o Phishing is a more specific type of social engineering 
o Phishing is a generic category with specific techniques 
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TRAINING 


Motivation Factors 


oO 


Authority 
= People are more willing to comply with a request when 
they think it is coming from someone in authority 
Use of recognizable brand names like a bank or PayPal could be 
considered a 
form of authority 
Urgency 
= People are usually in a rush these days and urgency takes advantage of 
this fact 
Social Proof 
= People are more likely to click on a link through social media or based on 
seeing others have already clicked on it 
Scarcity 
= Technique that relies on the fear of missing out on a good deal that is 
only offered in limited quantities or a limited time 
Likeability 
= A technique where the social engineer attempts to find common ground 
and shared interests with their target 


Fear 
= The use of threats or demands to intimidate someone into helping you in 
the attack 


More Social Engineering 


O 


Diversion Theft 
= When a thief attempts to take responsibility for a shipment by diverting 
the delivery to a nearby location 
Hoax 
= Attempt at deceiving people into believing that something is false when it 
is true (or vice versa) 
Shoulder Surfing 
= When a person uses direct observation to obtain authentication 
information 


Eavesdropping 
= When a person uses direct observation to “listen” in to a conversation 
Dumpster Diving 
= When a person scavenges for private information in garbage containers 
Baiting 
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When a malicious individual leaves malware-infected removable media 
such as a USB drive or optical disc lying around in plain view 


o Piggybacking 


When an unauthorized person tags along with an authorized person to 
gain entry to a restricted area 


o Watering Hole Attack 


When an attacker figures out where users like to go, and places malware 
to gain access to your organization 


e Frauds and Scams 


o Fraud 


The wrongful or criminal deception intended to result in financial or 
personal gain 


o Identity Fraud 


o Scam 


The use by one person of another person's personal information, without 
authorization, to commit a crime or to deceive or defraud that other 
person or a third person 

Identity theft involves stealing another person's identity and using it as 
your own 

Identity fraud and identity theft are commonly used interchangeably 
these days 


A fraudulent or deceptive act or operation 


o Invoice Scam 


A scam in which a person is tricked into paying for a fake invoice for a 
service or product that they did not order 

Identity fraud and invoice scams are low-tech social engineering 
techniques 


o Prepending 


A technical method used in social engineering to trick users into entering 
their username and passwords by adding an invisible string before the 
weblink they click 

The prepended string (data:text) converts the link into a Data URI (or 
Data URL) that embeds small files inline of documents 


e Influence Campaigns 
o Influence Operations 


The collection of tactical information about an adversary as well as the 
dissemination of propaganda in pursuit of a competitive advantage over 
an opponent 
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Influence operations is the military term, but CompTIA uses the term 
influence campaign 


o Hybrid Warfare 


= A military strategy which employs political warfare and blends 
conventional warfare, irregular warfare and cyberwarfare with other 


influencing methods, such as fake news, diplomacy, and foreign electoral 
intervention 


“The Russian influence campaign on social media in the 2016 election 
made an extraordinary effort to target African-Americans, used an array 
of tactics to try to suppress turnout among Democratic voters and 
unleashed a blizzard of activity on Instagram that rivaled or exceeded 
its posts on Facebook.” 


Scott Shane and Sheera Frenkel 
New York Times 


User Education 
o Never share authentication information 
o Clean Desk Policy 
= Policy where all employees must put away everything from their desk at 
the end of the day into locked drawers and cabinets 
o Train users how to encrypt emails and data 
o Follow organizational data handling and disposal policies 


Policies and Procedures 
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Policies and Procedures 
o Governance provides a comprehensive security management framework 
o Policies 
= Defines the role of security in an organization and establishes the desired 
end state of the security program 
= Policies are very broad 
o Organizational Policies 
= Provide general direction and goals, a framework to meet the business 
goals, and define the roles, responsibilities, and terms 
o System-Specific Policies 
= Address the security needs of a specific technology, application, network, 
or computer system 
o Issue-Specific Policies 
= Built to address a specific security issue, such as email privacy, employee 
termination procedures, or other specific issues 
o Policies may be regulatory, advisory, or informative 
Standards are used to implement a policy in an organization 
o Baseline 
= Created as reference points which are documented for use as a method 
of comparison during an analysis conducted in the future 
o Guidelines are used to recommend actions 
o Procedures 
= Detailed step-by-step instructions that are created to ensure personnel 
can perform a given action 
o ExamTip 
= Policies are generic 
= Procedures are specific 


O 


Data Classifications 
o Data Classification 
= Category based on the value to the organization and the sensitivity of the 
information if it were to be disclosed 
o Sensitive Data 
= Any information that can result in a loss of security, or loss of advantage 
to a company, if accessed by unauthorized persons 
o Commercial businesses and the government use different classification 
systems 


o Commercial Classifications 
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= Public Data 
e Has no impact to the company if released and is often posted in 
the open-source environment. 
e Sensitive data might have a minimal impact if released 
= Private Data 
e Contains data that should only be used within the organization 
= Confidential Data 
e Highest classification level that contains items such as trade 
secrets, intellectual property data, source code, and other types 
that would seriously affect the business if disclosed 
o Government Classifications 
= Unclassified data can be released to the public 
= Sensitive but Unclassified 
e Items that wouldn’t hurt national security if released but could 
impact those whose data is contained in it 
= Confidential Data 
e Data that could seriously affect the government if unauthorized 
disclosure were to happen 
=" Secret Data 
e Data that could seriously damage national security if disclosed 
= Top Secret Data 
e Data that could gravely damage national security if it were known 
to those who are not authorized for this level of information 
o Data should not be stored forever 


Data Ownership 
o The process of identifying the person responsible for the confidentiality, integrity 
availability and privacy of information assets 


o Data Owner 
= A senior (executive) role with ultimate responsibility for maintaining the 
confidentiality, integrity and availability of the information asset 
= The data owner is responsible for labeling the asset and ensuring that it is 
protected with appropriate controls 
o Data Steward 
= Arole focussed on the quality of the data and associated metadata 
o Data Custodian 
= Arole responsible for handling the management of the system on which 
the data assets are stored 
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o Privacy officer 
= Arole responsible for the oversight of any PII/SPI/PHI assets managed by 
the company 


e Pll and PHI 
o Itis your responsibility to protect the data collected 
o Personal Identifiable Information (PII) 
= A piece of data that can be used either by itself or in combination with 
some other pieces of data to identify a single person 
e Full Name 
e Driver’s License 
e Date of Birth 
e Place of Birth 
e Biometric Data 
e Financial Account Numbers 
e Email Addresses 
e Social Media Usernames 
= Verify with your legal team what is considered PII 
o Privacy Act of 1974 
= Affects U.S. government computer systems that collects, stores, uses, or 
disseminates personally identifiable information 
o Health Insurance Portability and Accountability Act (HIPAA) 
= Affects healthcare providers, facilities, insurance companies, and medical 
data clearing houses 
o Sarbanes-Oxley (SOX) 
= Affects publicly-traded U.S. corporations and requires certain accounting 
methods and financial reporting requirements 
o Gramm-Leach-Bliley Act (GLBA) 
= Affects banks, mortgage companies, loan offices, insurance companies, 
investment companies, and credit card providers 
o Federal Information Security Management (FISMA) Act of 2002 
=" Requires each agency to develop, document, and implement an agency- 
wide information systems security program to protect their data 
o Payment Card Industry Data Security Standard (PCI DSS) is a contractual 
obligation 
o Help America Vote Act (HAVA) of 2002 
= Provides regulations that govern the security, confidentiality, and 
integrity of the personal information collected, stored, or processed 
during the election and voting process 
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o SB 1386 requires any business that stores personal data to disclose a breach 


Legal Requirements 
o Any type of information or asset should consider how a compromise of that 
information can threaten the three core security attributes of the CIA Triad 
o Security controls focus on the CIA attributes of the processing system 


o Privacy 
= A data governance requirement that arises when collecting and 
processing personal data to ensure the rights of the subject's data 
= Legal requirements will affect your corporate governance and the policies 
in regards to privacy of your user's data 
o General Data Protection Regulation (GDPR) 
= Personal data cannot be collected processed or retained without the 
individual's informed consent 
= GDPR also provides the right for a user to withdraw consent, to inspect, 
amend, or erase data held about them 
=  GDPR requires data breach notification within 72 hours 
o WARNING: Data breaches can happen accidently or through malicious 
interference 


Privacy Technologies 
o Deidentification 
= methods and technologies that remove identifying information from data 
before it is distributed 
= Deidentification is often implemented as part of database design 
o Data Masking 
=  Deidentification Method where generic or placeholder labels are 
substituted for real data while preserving the structure or format of the 
original data 
o Tokenization 
= A deidentification method where a unique token is substituted for real 
data 
o Aggregation/Banding 
= Adeidentification technique where data is generalized to protect the 
individuals involved 
o Reidentification 
= An attack that combines a deidentification dataset with other data source 
to discover how secure the deidentification method used is 
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Security Policies 
o Privacy policies govern the labeling and handling of data 
o Acceptable Use Policy 
= Defines the rules that restrict how a computer, network, or other systems 
may be used 
o Change Management Policy 
=" Defines the structured way of changing the state of a computer system, 
network, or IT procedure 
o Separation of Duties is a preventative type of administrative control 
o Job Rotation 
= Different users are trained to perform the tasks of the same position to 
help prevent and identify fraud that could occur if only one employee 
had the job 
o Onboarding and Offboarding Policy 
= Dictates what type of things need to be done when an employee is hired, 
fired, or quits 
= Terminated employees are often not cooperative 


o Due Diligence 
= Ensuring that IT infrastructure risks are known and managed properly 
o Due Care 
= Mitigation actions that an organization takes to defend against the risks 
that have been uncovered during due diligence 
o Due Process 
= Alegal term that refers to how an organization must respect and 
safeguard personnel’s rights 
= Due process protects citizens from their government and companies from 
lawsuits 


User Education 
o Security Awareness Training 
= Used to reinforce to users the importance of their help in securing the 
organization’s valuable resources 
= User security awareness training has the best return on investment 
o Security Training 
= Used to teach the organization’s personnel the skills they need to 
perform their job in a more secure manner 
o Security education is generalized training (like Security+) 
o Specialized training may be developed too 
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e Vendor Relationships 
o Non-Disclosure Agreement (NDA) 
= Agreement between two parties that defines what data is considered 
confidential and cannot be shared outside of the relationship 
= NDAs are a binding contract 
o Memorandum of Understanding (MOU) 
= Anon-binding agreement between two or more organizations to detail 
an intended common line of action 
= MOUs can be between multiple organizations 
o Service-Level Agreement (SLA) 
= An agreement concerned with the ability to support and respond to 
problems within a given timeframe and continuing to provide the agreed 
upon level of service to the user 
= SLA may promise 99.999% uptime 
o Interconnection Security Agreement (ISA) 
= An agreement for the owners and operators of the IT systems to 
document what technical requirements each organization must meet 
o Business Partnership Agreement (BPA) 
= Conducted between two business partners that establishes the 
conditions of their relationship 
= A BPA can also include security requirements 


e Disposal Policies 
o Asset disposal occurs whenever a system is no longer needed 
o Degaussing 
= Exposes the hard drive to a powerful magnetic field which in turn causes 
previously-written data to be wiped from the drive 
o Purging (Sanitizing) 
= Act of removing data in such a way that it cannot be reconstructed using 
any known forensic techniques 


o Clearing 
= Removal of data with a certain amount of assurance that it cannot be 
reconstructed 


o Data remnants are a big security concern 
o Possible reuse of the device will influence the disposal method 

= 1. Define which equipment will be disposed of 

= 2.Determine a storage location until disposal 

= 3. Analyze equipment to determine disposal — reuse, resell, or 

destruction 
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= 4. Sanitize the device and remove all its data 
= 5. Throw away, recycle, or resell the device 


e IT Security Frameworks 
o Sherwood Applied Business Security Architecture (SABSA) is a risk-driven 
architecture 
o Control Objectives for Information and Related Technology (COBIT) 
= A security framework that divides IT into four domains: Plan and 
Organize, Acquire and Implement, Deliver and Support, and Monitor and 


Evaluate 
o NIST SP 800-53 is a security control framework developed by the Dept. of 
Commerce 
o ISO 27000 


o ITIL is the de facto standard for IT service management 
= Being able to discuss ITIL will help in your job interviews 


e Key Frameworks 
o Center for Internet Security (CIS) 
= Consensus-developed secure configuration guidelines for hardening 
(benchmarks) and prescriptive, prioritized, and simplified sets of 
cybersecurity best practices (configuration guides) 
o Risk Management Framework (RMF) 
= A process that integrates security and risk management activities into the 
system development life cycle through an approach to security control 
selection and specification that considers effectiveness, efficiency, and 
constraints due to applicable laws, directives, Executive Orders, policies, 
standards, or regulations 
o Cybersecurity Framework (CSF) 
= A set of industry standards and best practices created by NIST to help 
organizations manage cybersecurity risks 
o ISO 27001 
= An international standard that details requirements for establishing, 
implementing, maintaining and continually improving an information 
security management system (ISMS) 
o ISO 27002 
= An international standard that provides best practice recommendations 
on information security controls for use by those responsible for 
initiating, implementing, or maintaining information security 
management systems (ISMS) 
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o ISO 27701 
= An international standard that acts as a privacy extension to the ISO 
27001 to enhance the existing Information Security Management System 
(ISMS) with additional requirements in order to establish, implement, 
maintain, and continually improve a Privacy Information Management 
System (PIMS) 
o ISO 31000 
= An international standard for enterprise risk management that provides a 
universally recognized paradigm for practitioners and companies 
employing risk management processes to replace the myriad of existing 
standards, methodologies, and paradigms that differed between 
industries, subject matters, and regions 
o System and Organization Controls (SOC) 
= A suite of reports produced during an audit which is used by service 
organizations to issue validated reports of internal controls over those 
information systems to the users of those services 


e SOC2 
o Trust Services Criteria 
e Type ll 


o Addresses the operational effectiveness of the specified 
controls over a period of time (usually 9-12 months) 
o Cloud Security Alliance’s Cloud Control Matrix 
= Designed to provide fundamental security principles to guide cloud 
vendors and to assist prospective cloud customers in assessing the overall 
security risk of a cloud provider 
o Cloud Security Alliance’s Reference Architecture 
= A methodology and a set of tools that enable security architects, 
enterprise architects, and risk management professionals to leverage a 
common set of solutions that fulfill their common needs to be able to 
assess where their internal IT and their cloud providers are in terms of 
security capabilities and to plan a roadmap to meet the security needs of 
their business 
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Incident Response Procedure 


Our systems will never be 100% secure 
o Incident Response 
= Aset of procedure that an investigator follows when examining a 
computer security incident 
o Incident Management Program 
= Program consisting of the monitoring and detection of security events on 
a computer network and the execution of proper response to those 
security events 
e Preparation 
e Identification 
e Containment 
e Eradication 
e Recovery 
e Lesson Learned 
o Identification 
= Process of recognizing whether an event that occurs should be classified 
as an incident 
o Containment is focused on isolating the incident 
o Recovery 
= Focused on data restoration, system repair, and re-enabling any server or 
networks taken offline during the incident response 


Incident Response Planning 
o What is an incident response team? 
= Key people that are available to respond to any incident that meets the 
severity and priority thresholds set out by the incident response plan 
e Incident Response Manager 
e Security Analyst 
e Triage Analyst 
e Forensic Analyst 
e Threat Researcher 
e Cross-functional Support 
= Your CSIRT should be the single point of contact for security incident and 
may be a part of the SOC or and independent team 
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o Out-of-band communication 
= Signalthat are sent between two parties or two device that are sent via 
a path or method different from that of the primary communication 
between the two parties or devices 
o What is your backup plan? 
= Maintained and up-to-date contact list 
e Email 
e Web portals 
e Telephone Calls 
e In-person Updates 
e Voicemail 
e Formal Report 
= Prevent unauthorized Release of information outside the CSIRT 
o Senior leadership 
= Executives and managers who are responsible for business operations 
and functional areas 
o Regulatory bodies 
= Governmental organizations that oversee the compliance with specific 
regulations and law 
o Legal 
= The business or organizations legal council is responsible for mitigating 
risk from civil lawsuits 
o The decision to involve law enforcement must be made by senior executives 
with guidance from legal 


o Human Resources (HR) 
= Used to ensure no breaches of the employment law or employee 
contract is made during an incident response 
o Public Relation (PR) 
= Used to manage negative publicity from a serious incident 


o CSIRT will be asked for information regarding the estimated downtime, the 
scope of system and data affected, and other relevant details 
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e Investigative Data 
o Security Information and Event Monitoring (SIEM) 


A combination of different data sources into one tool that provides real- 
time analysis of security alerts generated by applications and network 
hardware 


e Sensor 

e Sensitivity 
e Trends 

e Alerts 


e Correlation 


o Log Files 


A file that records either events that occur in an operating system or 
other software runs, or messages between different users of a 
communication software 


e Network 

e System 

e Application 
e Security 

e Web 

e DNS 


e Authentication 
e Dump Files 

e VolP 

e Call Managers 


o syslog / rsyslog / syslog-ng 


Three variations of syslog which all permit the logging of data from 
different types of systems in a central repository 


o journalctl 


o nxlog 


A Linux command line utility used for querying and displaying logs from 
journald, the systemd logging service on Linux 


A multi-platform log management tool that helps to easily identify 
security risks, policy breaches or analyze operational problems in server 
logs, operation system logs and application logs 

nxlog is a cross-platform, open-source tool that is similar to rsyslog or 


syslog-ng 
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o netflow 
= Anetwork protocol system created by Cisco that collects active IP 
network traffic as it flows in or out of an interface, including its point of 
origin, destination, volume and paths on the network 
o sflow 
= Short for “sampled flow”, it provides a means for exporting truncated 
packets, together with interface counters for the purpose of network 
monitoring 


o Internet Protocol Flow Information Export (IPfix) 
= A universal standard of export for Internet Protocol flow information 
from routers, probes and other devices that are used by mediation 
systems, accounting/billing systems and network management systems 
to facilitate services such as measurement, accounting and billing by 
defining how IP flow information is to be formatted and transferred from 
an exporter to a collector 
o Metadata 
= Data that describes other data by providing an underlying definition or 
description by summarizing basic information about data that makes 
finding and working with particular instances of data easier 


e Email 
e Mobile 
e Web 

e File 


Forensic Procedures 
o Written procedures ensure that personnel handle forensics properly, effectively, 
and in compliance with required regulations 


o Identification 
= Ensure the scene is safe, secure the scene to prevent evidence 
contamination, and identify the scope of evidence to be collected 
o Collection 
= Ensure authorization to collect evidence is obtained, and then document 
and prove the integrity of evidence as it is collected 
o Analysis 
= Create a copy of evidence for analysis and use repeatable methods and 
tools during analysis 
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o Reporting 
= Create a report of the methods and tools used in the investigation and 
present detailed findings and conclusions based on the analysis 
o Legal Hold 
= A process designed to preserve all relevant information when litigation is 
reasonably expected to occur 
= A computer or server could be seized as evidence 
= Appoint a liaison with legal knowledge and expertise who can be the 
point of contact with law enforcement 
e Analysis must be performed without bias 
e Analysis methods must be repeatable by third parties 
e Evidence must not be changed or manipulated 
o WARNING: Defense attorneys will try to use any deviation from these ethics as a 
reason to dismiss your findings and analysis 
o Timeline 
= A tool that shows the sequence of file system events within a source 
image in a graphical format 
e How was access to the system obtained? 
e What tools have been installed? 
e What changes to files were made? 
e What data has been retrieved? 
e Was data exfiltrated? 
= Many forensics tools can generate a timeline based on your evidence 
= If your tool doesn’t support it, you can create a sequence of events within 
a spreadsheet to serve as a timeline 


Data Collection Procedures 
o Data Acquisition 

= The method and tools used to create a forensically sound copy of data 
from a source device, such as system memory or a hard disk 

=  Bring-your-own-device (BYOD) policies complicate data acquisition since 
you may not be able to legally search or seize the device 

= Some data can only be collected once the system is shutdown or the 
power suddenly disconnected 

= Analysts should always follow the order of volatility when collecting 
evidence 

e CPU registers and cache memory 
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e Contents of system memory (RAM), routing tables, 
ARP cache, process table, temporary swap files 
e Data on persistent mass storage 
(HDD/SDD/flash drive) 
e Remote logging and monitoring data 
e Physical configuration and network topology 
e Archival media 
o WARNING: While most of the Windows registry is stored on the disk, some keys 
(like HKLM\Hardware) are only stored in memory so you should analyze the 
Registry via a memory dump 


e Security Tools 
o Networking 
o File Manipulation 
o Shell and Scripts 
o Packet Capture 
o Forensics 

o Exploitation 


o WARNING: You do not need to know how to use all of these tools, but you 
should be aware of what they are used for as a security professional 


e Networking 


o tracert/traceroute 
= A network diagnostic command for displaying possible routes and 
measuring transit delays of packets across an 
Internet Protocol network 
o nslookup/dig 
= Utility used to determine the IP address associated with a domain name, 
obtain the mail server settings for a domain, and other DNS information 
o ipconfig/ifconfig 
= Utility that displays all the network configurations of the currently 
connected network devices and can modify the DHCP and DNS settings 
o nmap 
= An open-source network scanner that is used to discover hosts and 
services on a computer network by sending packets and analyzing their 
responses 


ping/pathping 


O 
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= Utility used to determine if a host is reachable on an Internet Protocol 
network 


o hping 
= An open-source packet generator and analyzer for the TCP/IP protocol 
that is used for security auditing and testing of firewalls and networks 
o netstat 
= Utility that displays network connections for Transmission Control 
Protocol, routing tables, and a number of network interface and network 
protocol statistics 
o netcat 
= Utility for reading from and writing to network connections using TCP or 
UDP which is a dependable back-end that can be used directly or easily 
driven by other programs and scripts 
o arp 
= Utility for viewing and modifying the local Address Resolution Protocol 
(ARP) cache on a given host or server 
o route 
= Utility that is used to view and manipulate the IP routing table on a host 
or server 
o curl 
= Acommand line tool to transfer data to or from a server, using any of the 
supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, 
TELNET, LDAP or FILE) 
o the harvester 
= A python script that is used to gather emails, subdomains, hosts, 
employee names, open ports and banners from different public sources 
like search engines, PGP key servers and SHODAN database 
o sniper 
= An automated scanner that can be used during a penetration test to 
enumerate and scan for vulnerabilities across a network 
o scanless 
= Utility that is used to create an exploitation website that can perform 
Open port scans in a more stealth-like manner 
o dnsenum 
= Utility that is used for DNS enumeration to locate all DNS servers and 
DNS entries for a given organization 
o Nessus 
= A proprietary vulnerability scanner that can remotely scan a computer or 
network for vulnerabilities 
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o Cuckoo 
= An open source software for automating analysis of suspicious files 
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e File Manipulation 


o head 
= A command-line utility for outputting the first ten lines of a file provided 
to it 
o tail 
= A command-line utility for outputting the last ten lines of a file provided 
to it 
o cat (concatenate) 
= A command-line utility for outputting the contents of a file to the screen 
o grep 
= A command-line utility for searching plain-text data sets for lines that 
match a regular expression or pattern 
o chmod 
= A command-line utility used to change the access permissions of file 
system objects 
o logger 
= Utility that provides an easy way to add messages to the /var/log/syslog 
file from the command line or from other files 


e Shell and Scripts 


o SSH 
= Utility that supports encrypted data transfer between two computers for 
secure logins, file transfers, or general purpose connections 
o PowerShell 
= A task automation and configuration management framework from 
Microsoft, consisting of a command-line shell and the associated scripting 


language 
o Python 
= An interpreted, high-level and general-purpose programming language 
o OpenSSL 


= A software library for applications that secure communications over 
computer networks against eavesdropping or need to identify the party 
at the other end 


e Packet Capture 
o tcpdump 
= Acommand line utility that allows you to capture and analyze network 
traffic going through your system 
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o tcpreplay 
= A suite of free open source utilities for editing and replaying previously 
captured network traffic 
o Wireshark 
= A popular network analysis tool to capture network packets and display 
them at a granular level for real-time or 
offline analysis 


e Forensics 


o dd 
= Acommand line utility used to copy disk images using a bit by bit copying 
process 
o FTK Imager 


= A data preview and imaging tool that lets you quickly assess electronic 
evidence to determine if further analysis with a forensic tool is needed 
o Memdump 
= Acommand line utility used to dump system memory to the standard 
output stream by skipping over holes in memory maps 
o WinHex 
= A commercial disk editor and universal hexadecimal editor used for data 
recovery and digital forensics 
o Autopsy 
= A digital forensics platform and graphical interface to The Sleuth Kit® and 
other digital forensics tools 


e Exploitation 


o Metasploit (MSF) 
= A computer security tool that offers information about software 
vulnerabilities, IDS signature development, and improves penetration 
testing 
o Browser Exploitation Framework (BeEF) 
= A tool that can hook one or more browsers and can use them as a 
beachhead of launching various direct commands and further attacks 
against the system from within the browser context 
o Cain and Abel 
= A password recovery tool that can be used through sniffing the network, 
cracking encrypted passwords using dictionary, brute-force, and 


162 
https://www.DionTraining.com © 2022 v1.2 


Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA certification products. All rights reserved. 


e J T l IN CompTIA Security+ (Study Notes) 


cryptanalysis attacks, recording VoIP conversations, decoding scrambled 
passwords, revealing password boxes, and analyzing routing protocols 
o Jack the Ripper 
o An open source password security auditing and password recovery tool available 
for many operating systems 


163 
https://www.DionTraining.com © 2022 v1.2 


Dion Training Solutions, LLC is a Platinum Delivery Partner for CompTIA certification products. All rights reserved. 


X DIO N CompTIA Security+ (Study Notes) 


Conclusion 


e Conclusion 
o We learned all the information in a more practical order 
o Domains (SYO-501) 
= Attacks, Threats, and Vulnerabilities (24%) 
= Architecture and Design (21%) 
= Implementation (25%) 
= Operations and Incident Response (16%) 
= Governance, Risk, and Compliance (14%) 
o Leťs get you certified on your first attempt! 
o You can take it at any PearsonVue testing center worldwide 
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e Exam Tricks 

o 1. Use a Cheat Sheet 
2. Skip the Simulations 
3. Take a Guess 
4. Pick the Best Time 
5. Be Confident 


O O OO© 


Let’s get you certified! 
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